| openssh |
A critical security vulnerability has been discovered in OpenSSH implementations on FreeBSD systems, potentially allowing attackers to execute remote code without authentication. The vulnerability, identified as CVE-2024-7589, affects all supported versions of FreeBSD. |
CVE-2024-7589 |
High |
None |
CORE-13.0-U5.3 |
N/A False Positive |
Link |
The OpenSSH in TrueNAS is not built with the vulnerable feature enabled. TrueNAS is not vulnerable to this issue. |
| openssh |
A security regression (CVE-2024-6387) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. This bug allows remote code execution. |
CVE-2024-6387 |
High |
High |
CORE-13.0-U5.3 |
CORE-13.0-U6.2 |
Link |
|
| py39-configobj-5.0.6_1 |
All versions of the package configobj are vulnerable to Regular Expression Denial of Service (ReDoS) via the validate function, using (.+?)\((.*)\). **Note:** This is only exploitable in the case of a developer, putting the offending value in a server side configuration file. |
CVE-2023-26112 |
Medium |
Low |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
Only exploitable by privlidged local user who already has full access to the system. |
| git-lite-2.34.1 |
Git is an open source, scalable, distributed revision control system. `git shell` is a restricted login shell that can be used to implement Git's push/pull functionality via SSH. In versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4, the function that splits the command arguments into an array improperly uses an `int` to represent the number of entries in the array, allowing a malicious actor to intentionally overflow the return value, leading to arbitrary heap writes. Because the resulting array is then passed to `execv()`, it is possible to leverage this attack to gain remote code execution on a victim machine. Note that a victim must first allow access to `git shell` as a login shell in order to be vulnerable to this attack. This problem is patched in versions 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 and users are advised to upgrade to the latest version. Disabling `git shell` access via remote logins is a viable short-term workaround. |
CVE-2022-39260 |
High |
Low |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
Authorized SSH users are able to exploit this vulnerability, following recommended security configuration to not provide this access mitigates this issue |
| git-lite-2.34.1 |
Git is an open source, scalable, distributed revision control system. Versions prior to 2.30.6, 2.31.5, 2.32.4, 2.33.5, 2.34.5, 2.35.5, 2.36.3, and 2.37.4 are subject to exposure of sensitive information to a malicious actor. When performing a local clone (where the source and target of the clone are on the same volume), Git copies the contents of the source's `$GIT_DIR/objects` directory into the destination by either creating hardlinks to the source contents, or copying them (if hardlinks are disabled via `--no-hardlinks`). A malicious actor could convince a victim to clone a repository with a symbolic link pointing at sensitive information on the victim's machine. This can be done either by having the victim clone a malicious repository on the same machine, or having them clone a malicious repository embedded as a bare repository via a submodule from any source, provided they clone with the `--recurse-submodules` option. Git does not create symbolic links in the `$GIT_DIR/objects` directory. The problem has been patched in the versions published on 2022-10-18, and backported to v2.30.x. Potential workarounds: Avoid cloning untrusted repositories using the `--local` optimization when on a shared machine, either by passing the `--no-local` option to `git clone` or cloning from a URL that uses the `file://` scheme. Alternatively, avoid cloning repositories from untrusted sources with `--recurse-submodules` or run `git config --global protocol.file.allow user`. |
CVE-2022-39253 |
Medium |
Low |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
Authorized SSH users are able to exploit this vulnerability, following recommended security configuration to not provide this access mitigates this issue |
| git |
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. |
CVE-2023-29007 |
High |
Low |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
Git is not exposed to TrueNAS users in a manner which makes this exploitable. |
| git |
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. |
CVE-2023-25652 |
High |
Low |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
Git is not exposed to TrueNAS users in a manner which makes this exploitable. |
| py39-beaker-1.11.0 is vulnerable |
The Beaker library through 1.11.0 for Python is affected by deserialization of untrusted data, which could lead to arbitrary code execution.
|
CVE-2013-7489 |
Medium |
Low |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
Only exploitable by privlidged local user who already has full access to the system. |
| minio-2021.12.27.07.23.18_1 |
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. |
CVE-2022-24842 |
High |
Critical |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
| minio-2021.12.27.07.23.18_1 |
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well. |
CVE-2023-28432 |
High |
Critical |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
| minio-2021.12.27.07.23.18_1 |
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off` |
CVE-2023-28434 |
High |
Critical |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
Built-in Service is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
| libxml2-2.9.12 |
An issue was discovered in libxml2 before 2.10.4. When hashing empty dict strings in a crafted XML document, xmlDictComputeFastKey in dict.c can produce non-deterministic values, leading to various logic and memory errors, such as a double free. This behavior occurs because there is an attempt to use the first byte of an empty string, and any value is possible (not solely the '\0' value). |
CVE-2023-29469 |
Medium |
Low |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| libxml2-2.9.12 |
In libxml2 before 2.10.4, parsing of certain invalid XSD schemas can lead to a NULL pointer dereference and subsequently a segfault. This occurs in xmlSchemaFixupComplexType in xmlschemas.c. |
CVE-2023-28484 |
Medium |
Low |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| squashfs-tools-4.3_1 |
Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input, which triggers a stack-based buffer overflow. |
CVE-2015-4645 |
Medium |
Low |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| pixman-0.40.0_1 |
In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y.
|
CVE-2022-44638 |
High |
Low |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| py39-sentry-sdk-1.4.3 |
Sentry SDK is the official Python SDK for Sentry, real-time crash reporting software. When using the Django integration of versions prior to 1.14.0 of the Sentry SDK in a specific configuration it is possible to leak sensitive cookies values, including the session cookie to Sentry. These sensitive cookies could then be used by someone with access to your Sentry issues to impersonate or escalate their privileges within your application. In order for these sensitive values to be leaked, the Sentry SDK configuration must have `sendDefaultPII` set to `True`; one must use a custom name for either `SESSION_COOKIE_NAME` or `CSRF_COOKIE_NAME` in one's Django settings; and one must not be configured in one's organization or project settings to use Sentry's data scrubbing features to account for the custom cookie names. As of version 1.14.0, the Django integration of the `sentry-sdk` will detect the custom cookie names based on one's Django settings and will remove the values from the payload before sending the data to Sentry. As a workaround, use the SDK's filtering mechanism to remove the cookies from the payload that is sent to Sentry. For error events, this can be done with the `before_send` callback method and for performance related events (transactions) one can use the `before_send_transaction` callback method. Those who want to handle filtering of these values on the server-side can also use Sentry's advanced data scrubbing feature to account for the custom cookie names. Look for the `$http.cookies`, `$http.headers`, `$request.cookies`, or `$request.headers` fields to target with a scrubbing rule. |
CVE-2023-28117 |
Medium |
False Positive |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
TrueNAS does not use Sentry SDK with Django so this doesn’t apply. |
| py39-cryptography-3.3.2 |
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network. |
CVE-2023-0286 |
High |
Low |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| py39-cryptography-3.3.2 |
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8. |
CVE-2023-23931 |
Medium |
Low |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| py39-setuptools-57.0.0 |
Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of Service (ReDoS) in package_index.py. |
CVE-2022-40897 |
Medium |
Low |
CORE-13.0-U5.3 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| TrueNAS middleware |
A vulnerability involving python deserialization, CVE-2020-22083, was found. |
CVE-2020-22083 |
Medium |
Medium |
CORE-13.0-U6.2 |
CORE-13.0-U6.3 |
Link |
TrueNAS assessment: exploitable by a local user |
| TrueNAS iocage |
A vulnerability involving iocage updates was found. |
CVE-2020-22083 |
High |
High |
CORE-13.0-U6.2 |
partial fix in CORE-13.0-U6.3 |
Link |
TrueNAS assessment: exploitable if attacker can control local gateway or upstream network. |
| TrueNAS middleware |
A vulnerability involving python deserialization, CVE-2020-22083, was found. |
NAS-132268 |
Medium |
Medium |
CORE-13.3 |
CORE-13.3-U1 |
Link |
TrueNAS assessment: exploitable by a local user |
| TrueNAS middleware |
A vulnerability involving iocage updates was found. |
CVE-2024-11944 |
High |
High |
CORE-13.3 |
CORE-13.3-U1 |
Link |
TrueNAS assessment: exploitable if attacker can control local gateway or upstream network. |
| TrueNAS iocage |
A vulnerability involving iocage updates was found. |
CVE-2024-11946 |
High |
High |
CORE-13.3 |
partial fix in CORE-13.3-U1 |
Link |
TrueNAS assessment: exploitable if attacker can control local gateway or upstream network. |
| rsync-3.2.7 |
Heap-buffer overflow in Rsync due to improper checksum length handling |
CVE-2024-12084 |
High |
High |
CORE-13.0 |
CORE-13.0-U6.6 |
Link |
TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
| rsync-3.2.7 |
Information leak via uninitialized stack contents |
CVE-2024-12085 |
Medium |
Medium |
CORE-13.0 |
CORE-13.0-U6.6 |
Link |
TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
| rsync-3.2.7 |
Rsync server leaks arbitrary client files |
CVE-2024-12086 |
Medium |
Medium |
CORE-13.0 |
CORE-13.0-U6.6 |
Link |
TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
| rsync-3.2.7 |
Path traversal vulnerability in Rsync |
CVE-2024-12087 |
Medium |
Medium |
CORE-13.0 |
CORE-13.0-U6.6 |
Link |
TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
| rsync-3.2.7 |
--safe-links option bypass leads to path traversal |
CVE-2024-12088 |
Medium |
Medium |
CORE-13.0 |
CORE-13.0-U6.6 |
Link |
TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
| rsync-3.2.7 |
Race condition in Rsync when handling symbolic links |
CVE-2024-12747 |
Medium |
Medium |
CORE-13.0 |
CORE-13.0-U6.6 |
Link |
TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
| rsync-3.2.7 |
Heap-buffer overflow in Rsync due to improper checksum length handling |
CVE-2024-12084 |
High |
High |
CORE-13.3 |
CORE-13.3-U2 |
Link |
TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
| rsync-3.2.7 |
Information leak via uninitialized stack contents |
CVE-2024-12085 |
Medium |
Medium |
CORE-13.3 |
CORE-13.3-U2 |
Link |
TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
| rsync-3.2.7 |
Rsync server leaks arbitrary client files |
CVE-2024-12086 |
Medium |
Medium |
CORE-13.3 |
CORE-13.3-U2 |
Link |
TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
| rsync-3.2.7 |
Path traversal vulnerability in Rsync |
CVE-2024-12087 |
Medium |
Medium |
CORE-13.3 |
CORE-13.3-U2 |
Link |
TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
| rsync-3.2.7 |
--safe-links option bypass leads to path traversal |
CVE-2024-12088 |
Medium |
Medium |
CORE-13.3 |
CORE-13.3-U2 |
Link |
TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
| rsync-3.2.7 |
Race condition in Rsync when handling symbolic links |
CVE-2024-12747 |
Medium |
Medium |
CORE-13.3 |
CORE-13.3-U2 |
Link |
TrueNAS assessment: exploitable if rsync service is enabled. Note that rsync service is not needed for TrueNAS rsync tasks. |
| openssh |
A security regression (CVE-2024-6387) was discovered in OpenSSH's server (sshd). There is a race condition which can lead to sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period. This bug allows remote code execution. |
CVE-2024-6387 |
High |
High |
SCALE 24.04.0 |
SCALE 24.04.2 |
Link |
|
| github.com/bits-and-blooms/bloom/v3 (v3.0.1) |
Uncontrolled Search Path Element in GitHub repository bits-and-blooms/bloom prior to 3.3.1. |
CVE-2023-0247 |
High |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
| github.com/containerd/containerd (1.6.6 & 1.5.7) |
containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with a large file where a limit was not applied could cause a denial of service. This bug has been fixed in containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround, ensure that only trusted images are used and that only trusted users have permissions to import images. |
CVE-2023-25153 |
Medium |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/containerd/containerd (1.6.6 1.5.7) |
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups. |
CVE-2023-25173 |
High |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/containerd/containerd (1.6.6 1.5.7) |
containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak. Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used and that only trusted users have permissions to execute commands in running containers. |
CVE-2022-23471 |
Medium |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/containerd/containerd (1.5.7) |
containerd is a container runtime available as a daemon for Linux and Windows. A bug was found in containerd prior to versions 1.6.1, 1.5.10, and 1.14.12 where containers launched through containerd’s CRI implementation on Linux with a specially-crafted image configuration could gain access to read-only copies of arbitrary files and directories on the host. This may bypass any policy-based enforcement on container setup (including a Kubernetes Pod Security Policy) and expose potentially sensitive information. Kubernetes and crictl can both be configured to use containerd’s CRI implementation. This bug has been fixed in containerd 1.6.1, 1.5.10, and 1.4.12. Users should update to these versions to resolve the issue. |
CVE-2022-23648 |
High |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/containerd/containerd (1.5.7) |
containerd is an open source container runtime. A bug was found in the containerd's CRI implementation where programs inside a container can cause the containerd daemon to consume memory without bound during invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing processes via an "exec" facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted images and commands are used. |
CVE-2022-31030 |
Medium |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/containerd/containerd (1.5.7) |
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec. |
CVE-2021-41190 |
Medium |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/containerd/containerd (1.5.7) |
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible. |
CVE-2021-43816 |
Critical |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/minio/console (0.12.5) |
Minio Console is the UI for MinIO Object Storage. Unicode RIGHT-TO-LEFT OVERRIDE characters can be used to mask the original filename. This issue has been patched in version 0.28.0. |
CVE-2023-33955 |
Medium |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
| k8s.io/apiserver (v0.22.5 & v0.24.2) |
A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. |
CVE-2020-8561 |
Medium |
Low |
22.12.4 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/coredns/coredns (1.4.0) |
A flaw was found in coreDNS. This flaw allows a malicious user to reroute internal calls to some internal services that were accessed by the FQDN in a format of <service>.<namespace>.svc. |
CVE-2022-2835 |
Medium |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
| github.com/coredns/coredns (1.4.0) |
A flaw was found in coreDNS. This flaw allows a malicious user to redirect traffic intended for external top-level domains (TLD) to a pod they control by creating projects and namespaces that match the TLD. |
CVE-2022-2837 |
Medium |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
| github.com/opencontainers/image-spec (1.0.1) |
The OCI Distribution Spec project defines an API protocol to facilitate and standardize the distribution of content. In the OCI Distribution Specification version 1.0.0 and prior, the Content-Type header alone was used to determine the type of document during push and pull operations. Documents that contain both “manifests” and “layers” fields could be interpreted as either a manifest or an index in the absence of an accompanying Content-Type header. If a Content-Type header changed between two pulls of the same digest, a client may interpret the resulting content differently. The OCI Distribution Specification has been updated to require that a mediaType value present in a manifest or index match the Content-Type header used during the push and pull operations. Clients pulling from a registry may distrust the Content-Type header and reject an ambiguous document that contains both “manifests” and “layers” fields or “manifests” and “config” fields if they are unable to update to version 1.0.1 of the spec. |
CVE-2021-41190 |
Medium |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/opencontainers/runc (v1.1.3 & v1.0.2 & v1.1.2) |
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `maskedPaths`. |
CVE-2023-25809 |
Medium |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/opencontainers/runc (v1.1.3 & v1.0.2 & v1.1.2) |
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. |
CVE-2023-27561 |
High |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/opencontainers/runc (v1.1.3 & v1.0.2 & v1.1.2) |
runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image. |
CVE-2023-28642 |
High |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/opencontainers/runc (v1.0.2) |
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. A bug was found in runc prior to version 1.1.2 where `runc exec --cap` created processes with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during execve(2). This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in runc 1.1.2. This fix changes `runc exec --cap` behavior such that the additional capabilities granted to the process being executed (as specified via `--cap` arguments) do not include inheritable capabilities. In addition, `runc spec` is changed to not set any inheritable capabilities in the created example OCI spec (`config.json`) file. |
CVE-2022-29162 |
High |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/opencontainers/runc (v1.0.2) |
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug. |
CVE-2021-43784 |
Medium |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/prometheus/client_golang (v1.10.0 & v1.11.0 & v1.7.1) |
client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version 1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`; not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`. client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow a limited set of methods. |
CVE-2022-21698 |
High |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/rancher/wrangler (v1.0.0) |
A Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in wrangler of SUSE Rancher allows remote attackers to inject commands in the underlying host via crafted commands passed to Wrangler. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions. |
CVE-2022-31249 |
Critical |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| github.com/rancher/wrangler (v1.0.0) |
A Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in SUSE Rancher allows remote attackers to cause denial of service by supplying specially crafted git credentials. This issue affects: SUSE Rancher wrangler version 0.7.3 and prior versions; wrangler version 0.8.4 and prior versions; wrangler version 1.0.0 and prior versions. |
CVE-2022-43756 |
High |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| golang.org/x/text (v0.3.6 & v0.3.7) |
An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse. |
CVE-2022-32149 |
High |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| golang.org/x/text (v0.3.6) |
golang.org/x/text/language in golang.org/x/text before 0.3.7 can panic with an out-of-bounds read during BCP 47 language tag parsing. Index calculation is mishandled. If parsing untrusted user input, this can be used as a vector for a denial-of-service attack. |
CVE-2021-38561 |
High |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| go.mongodb.org/mongo-driver (v1.4.6) |
Specific cstrings input may not be properly validated in the MongoDB Go Driver when marshalling Go objects into BSON. A malicious user could use a Go object with specific string to potentially inject additional fields into marshalled documents. This issue affects all MongoDB GO Drivers up to (and including) 1.5.0. |
CVE-2021-20329 |
Medium |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
Built-in MinIO Service (source of this component) is exploitable, but can be mitigated by migration to “Plugin-Based” Minio service which is patched beyond this vulnerability level. With the built-in service S3 set to “Disabled” on the TrueNAS UI, this renders the TrueNAS not vulnerable. This issue may be addressed in a future TrueNAS release. |
| busybox (1:1.30.1-6+b3) |
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. |
CVE-2022-28391 |
High |
Low |
22.12.4 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| busybox (1:1.30.1-6+b3) |
Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". |
CVE-2018-1000500 |
High |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| git (1:2.39.2-1~bpo11+1) |
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. |
CVE-2020-5260 |
High |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| gnupg (2.2.27-2+deb11u2) |
GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB. |
CVE-2022-3219 |
Low |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
IXassessment : low risk and no fix expected from upstream |
| gnupg (2.2.27-2+deb11u2) |
A vulnerability was found in the Libksba library due to an integer overflow within the CRL parser. The vulnerability can be exploited remotely for code execution on the target system by passing specially crafted data to the application, for example, a malicious S/MIME attachment. |
CVE-2022-3515 |
Critical |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| helm (3.9.4-1) |
Helm is a tool that streamlines installing and managing Kubernetes applications.`getHostByName` is a Helm template function introduced in Helm v3. The function is able to accept a hostname and return an IP address for that hostname. To get the IP address the function performs a DNS lookup. The DNS lookup happens when used with `helm install|upgrade|template` or when the Helm SDK is used to render a chart. Information passed into the chart can be disclosed to the DNS servers used to lookup the IP address. For example, a malicious chart could inject `getHostByName` into a chart in order to disclose values to a malicious DNS server. The issue has been fixed in Helm 3.11.1. Prior to using a chart with Helm verify the `getHostByName` function is not being used in a template to disclose any information you do not want passed to DNS servers. |
CVE-2023-25165 |
Medium |
Medium |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond |
| helm (3.9.4-1) |
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to Uncontrolled Resource Consumption, resulting in Denial of Service. Input to functions in the _strvals_ package can cause a stack overflow. In Go, a stack overflow cannot be recovered from. Applications that use functions from the _strvals_ package in the Helm SDK can have a Denial of Service attack when they use this package and it panics. This issue has been patched in 3.10.3. SDK users can validate strings supplied by users won't create large arrays causing significant memory usage before passing them to the _strvals_ functions. |
CVE-2022-23524 |
High |
Medium |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond |
| helm (3.9.4-1) |
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the _repo_package. The _repo_ package contains a handler that processes the index file of a repository. For example, the Helm client adds references to chart repositories where charts are managed. The _repo_ package parses the index file of the repository and loads it into structures Go can work with. Some index files can cause array data structures to be created causing a memory violation. Applications that use the _repo_ package in the Helm SDK to parse an index file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. The Helm Client will panic with an index file that causes a memory violation panic. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate index files that are correctly formatted before passing them to the _repo_ functions. |
CVE-2022-23525 |
High |
Medium |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond |
| helm (3.9.4-1) |
Helm is a tool for managing Charts, pre-configured Kubernetes resources. Versions prior to 3.10.3 are subject to NULL Pointer Dereference in the_chartutil_ package that can cause a segmentation violation. The _chartutil_ package contains a parser that loads a JSON Schema validation file. For example, the Helm client when rendering a chart will validate its values with the schema file. The _chartutil_ package parses the schema file and loads it into structures Go can work with. Some schema files can cause array data structures to be created causing a memory violation. Applications that use the _chartutil_ package in the Helm SDK to parse a schema file can suffer a Denial of Service when that input causes a panic that cannot be recovered from. Helm is not a long running service so the panic will not affect future uses of the Helm client. This issue has been patched in 3.10.3. SDK users can validate schema files that are correctly formatted before passing them to the _chartutil_ functions. |
CVE-2022-23526 |
High |
Medium |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
Impact of fix is too high risk, resolution available in Cobia BETA.1 and beyond |
| openssl (1.1.1t-001+deb11u4) |
Issue summary: Processing some specially crafted ASN.1 object identifiers or
data containing them may be very slow.
Impact summary: Applications that use OBJ_obj2txt() directly, or use any of
the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message
size limit may experience notable to very long delays when processing those
messages, which may lead to a Denial of Service.
An OBJECT IDENTIFIER is composed of a series of numbers - sub-identifiers -
most of which have no size limit. OBJ_obj2txt() may be used to translate
an ASN.1 OBJECT IDENTIFIER given in DER encoding form (using the OpenSSL
type ASN1_OBJECT) to its canonical numeric text form, which are the
sub-identifiers of the OBJECT IDENTIFIER in decimal form, separated by
periods.
When one of the sub-identifiers in the OBJECT IDENTIFIER is very large
(these are sizes that are seen as absurdly large, taking up tens or hundreds
of KiBs), the translation to a decimal number in text may take a very long
time. The time complexity is O(n^2) with 'n' being the size of the
sub-identifiers in bytes (*).
With OpenSSL 3.0, support to fetch cryptographic algorithms using names /
identifiers in string form was introduced. This includes using OBJECT
IDENTIFIERs in canonical numeric text form as identifiers for fetching
algorithms.
Such OBJECT IDENTIFIERs may be received through the ASN.1 structure
AlgorithmIdentifier, which is commonly used in multiple protocols to specify
what cryptographic algorithm should be used to sign or verify, encrypt or
decrypt, or digest passed data.
Applications that call OBJ_obj2txt() directly with untrusted data are
affected, with any version of OpenSSL. If the use is for the mere purpose
of display, the severity is considered low.
In OpenSSL 3.0 and newer, this affects the subsystems OCSP, PKCS7/SMIME,
CMS, CMP/CRMF or TS. It also impacts anything that processes X.509
certificates, including simple things like verifying its signature.
The impact on TLS is relatively low, because all versions of OpenSSL have a
100KiB limit on the peer's certificate chain. Additionally, this only
impacts clients, or servers that have explicitly enabled client
authentication.
In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects,
such as X.509 certificates. This is assumed to not happen in such a way
that it would cause a Denial of Service, so these versions are considered
not affected by this issue in such a way that it would be cause for concern,
and the severity is therefore considered low. |
CVE-2023-2650 |
Medium |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
In OpenSSL 1.1.1 and 1.0.2, this only affects displaying diverse objects, such as X.509 certificates. This is assumed to not happen in such a way that it would cause a Denial of Service, so these versions are considered not affected by this issue in such a way that it would be cause for concern, and the severity is therefore considered low. |
| perl (5.32.1-4+deb11u2) |
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. |
CVE-2023-31486 |
High |
Low |
22.12.4 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| rsyslog (8.2102.0-2+deb11u1) |
rsyslog uses weak permissions for generating log files, which allows local users to obtain sensitive information by reading files in /var/log/cron. |
CVE-2015-3243 |
Medium |
Low |
22.12.4 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| busybox (1:1.30.1-6+b3) |
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. |
CVE-2022-48174 |
Critical |
Low |
22.12.4 |
Cobia 23.10-BETA.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| haproxy (2.6.12-1~bpo11+1) |
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request. |
CVE-2023-40225 |
High |
Low |
22.12.4 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| perl (5.32.1-4+deb11u2) |
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. |
CVE-2023-31484 |
High |
Low |
22.12.4 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| openssl (3.0.9-2) |
Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications on the
Windows 64 platform when running on newer X86_64 processors supporting the
AVX512-IFMA instructions.
Impact summary: If in an application that uses the OpenSSL library an attacker
can influence whether the POLY1305 MAC algorithm is used, the application
state might be corrupted with various application dependent consequences.
The POLY1305 MAC (message authentication code) implementation in OpenSSL does
not save the contents of non-volatile XMM registers on Windows 64 platform
when calculating the MAC of data larger than 64 bytes. Before returning to
the caller all the XMM registers are set to zero rather than restoring their
previous content. The vulnerable code is used only on newer x86_64 processors
supporting the AVX512-IFMA instructions.
The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However given the contents of the registers are just zeroized so
the attacker cannot put arbitrary values inside, the most likely consequence,
if any, would be an incorrect result of some application dependent
calculations or a crash leading to a denial of service.
The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3 and a malicious client can influence whether this AEAD
cipher is used by the server. This implies that server applications using
OpenSSL can be potentially impacted. However we are currently not aware of
any concrete application that would be affected by this issue therefore we
consider this a Low severity security issue.
As a workaround the AVX512-IFMA instructions support can be disabled at
runtime by setting the environment variable OPENSSL_ia32cap:
OPENSSL_ia32cap=:~0x200000
The FIPS provider is not affected by this issue. |
CVE-2023-4807 |
High |
False Positive |
22.12.4 |
N/A - False Positive |
Link |
Only applicable to Windows operating systems - False positive |
| samba (2:4.17.11+ix-1) |
smbd allows client access to unix domain sockets on the file system. |
CVE-2023-3931 |
Medium |
Critical |
22.12.4 |
22.12.4.1 |
Link |
Exploitable, action recommended: upgrade to 22.12.4.1 |
| samba (2:4.17.11+ix-1) |
Samba AD DC password exposure to privileged users and RODCs |
CVE-2023-4154 |
High |
Low |
22.12.4 |
22.12.4.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| samba (2:4.17.11+ix-1) |
SMB clients can truncate files with read-only permissions |
CVE-2023-4091 |
Medium |
Low |
22.12.4 |
22.12.4.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| samba (2:4.17.11+ix-1) |
"rpcecho" development server allows Denial of Service via sleep() call on AD DC |
CVE-2023-42669 |
Medium |
Low |
22.12.4 |
22.12.4.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| samba (2:4.17.11+ix-1) |
Samba AD DC Busy RPC multiple listener DoS |
CVE-2023-42670 |
Medium |
Low |
22.12.4 |
22.12.4.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| k8s.io/apiserver (v0.27.2) |
A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. |
CVE-2020-8561 |
Medium |
Low |
SCALE 23.10.0 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| golang.org/x/net/ (0.10.0, 0.8.0, 0.7.0) |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. |
CVE-2023-3978 |
Medium |
Low |
SCALE 23.10.0 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| google.golang.org/grpc (v1.40.0) |
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
CVE-2023-32731 |
High |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure |
| google.golang.org/protobuf (v1.30, v 1.29 & v1.28.1) |
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
|
CVE-2021-22570 |
Medium |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure |
| google.golang.org/protobuf (v1.30, v 1.29 & v1.28.1) |
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. |
CVE-2015-5237 |
High |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure |
| github.com/rclone/rclone (v1.63.0) |
n Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. |
CVE-2018-12907 |
High |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
TrueNAS SCALE does not support cloud to cloud sync, not exposed |
| busybox (1:1.35.0-4+b3) |
An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. |
CVE-2019-5747 |
High |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. |
CVE-2018-1000517 |
Critical |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. |
CVE-2018-20679 |
High |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. |
CVE-2017-16544 |
High |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. |
CVE-2016-2147 |
High |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. |
CVE-2016-2148 |
Critical |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. |
CVE-2016-6301 |
High |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. |
CVE-2015-9261 |
Medium |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. |
CVE-2014-9645 |
Medium |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. |
CVE-2013-1813 |
High |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. |
CVE-2011-2716 |
Medium |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. |
CVE-2011-5325 |
High |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. |
CVE-2022-48174 |
High |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. |
CVE-2022-28391 |
High |
Low |
SCALE 23.10.0 |
Not yet resolved |
Link |
[bookworm] - sudo <no-dsa> (Minor issue)
TrueNAS assessment: only exploitable by a privileged user |
| haproxy (2.6.12-1) |
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. |
CVE-2023-40225 |
High |
Low |
SCALE 23.10.0 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| openssl (3.0.9-2) |
Checking excessively long DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_check(), DH_check_ex() or EVP_PKEY_param_check() to check a DH key or DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. An application that calls DH_check() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. The function DH_check() is itself called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_ex() and EVP_PKEY_param_check(). Also vulnerable are the OpenSSL dhparam and pkeyparam command line applications when using the "-check" option. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. |
CVE-2023-3817 |
Medium |
Low |
SCALE 23.10.0 |
SCALE 23.10.1 |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| perl (5.36.0-7) |
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. |
CVE-2023-31484 |
High |
Low |
SCALE 23.10.0 |
Not yet resolved |
Link |
[bookworm] - sudo <no-dsa> (Minor issue)
TrueNAS assessment: only exploitable by a privileged user |
| perl (5.36.0-7) |
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. |
CVE-2023-31486 |
High |
Low |
SCALE 23.10.0 |
Not yet resolved |
Link |
[bookworm] - sudo <no-dsa> (Minor issue)
TrueNAS assessment: only exploitable by a privileged user |
| openssl (3.0.9-2) |
Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications on the
Windows 64 platform when running on newer X86_64 processors supporting the
AVX512-IFMA instructions.
Impact summary: If in an application that uses the OpenSSL library an attacker
can influence whether the POLY1305 MAC algorithm is used, the application
state might be corrupted with various application dependent consequences.
The POLY1305 MAC (message authentication code) implementation in OpenSSL does
not save the contents of non-volatile XMM registers on Windows 64 platform
when calculating the MAC of data larger than 64 bytes. Before returning to
the caller all the XMM registers are set to zero rather than restoring their
previous content. The vulnerable code is used only on newer x86_64 processors
supporting the AVX512-IFMA instructions.
The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However given the contents of the registers are just zeroized so
the attacker cannot put arbitrary values inside, the most likely consequence,
if any, would be an incorrect result of some application dependent
calculations or a crash leading to a denial of service.
The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3 and a malicious client can influence whether this AEAD
cipher is used by the server. This implies that server applications using
OpenSSL can be potentially impacted. However we are currently not aware of
any concrete application that would be affected by this issue therefore we
consider this a Low severity security issue.
As a workaround the AVX512-IFMA instructions support can be disabled at
runtime by setting the environment variable OPENSSL_ia32cap:
OPENSSL_ia32cap=:~0x200000
The FIPS provider is not affected by this issue. |
CVE-2023-4807 |
High |
False Positive |
SCALE 23.10.0 |
N/A False Positive |
Link |
Only applicable to windows operating systems - False positive |
| k8s.io/apiserver (v0.27.2) |
A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. |
CVE-2020-8561 |
Medium |
Low |
SCALE 23.10.1 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| golang.org/x/net/ (0.10.0, 0.8.0, 0.7.0) |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. |
CVE-2023-3978 |
Medium |
Low |
SCALE 23.10.1 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| golang.org/x/net/ (0.10.0, 0.8.0, 0.7.0) |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
CVE-2023-39325 |
High |
Low |
SCALE 23.10.1 |
Not yet resolved |
Link |
TrueNAS assessment: minor issue, no advisory. |
| google.golang.org/grpc (v1.40.0) |
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. |
CVE-2023-32731 |
High |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure |
| google.golang.org/protobuf (v1.30, v 1.28 & v1.28.1) |
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.
|
CVE-2021-22570 |
Medium |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure |
| google.golang.org/protobuf (v1.30, v 1.29 & v1.28.1) |
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. |
CVE-2015-5237 |
High |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identify this C++ only bug for grpc, this deployment is the go language. no exposure |
| github.com/rclone/rclone (v1.63.0) |
n Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. |
CVE-2018-12907 |
High |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
TrueNAS SCALE does not support cloud to cloud sync, not exposed |
| busybox (1:1.35.0-4+b3) |
An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. |
CVE-2019-5747 |
High |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. |
CVE-2018-1000517 |
Critical |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. |
CVE-2018-20679 |
High |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. |
CVE-2017-16544 |
High |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. |
CVE-2016-2147 |
High |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. |
CVE-2016-2148 |
Critical |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. |
CVE-2016-6301 |
High |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. |
CVE-2015-9261 |
Medium |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. |
CVE-2014-9645 |
Medium |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. |
CVE-2013-1813 |
High |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. |
CVE-2011-2716 |
Medium |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. |
CVE-2011-5325 |
High |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. |
CVE-2022-48174 |
High |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
Some scanning tools identfy this vulnerability due to version string parsing issues, this release of busybox includes the fix to address this vulnerability and is not impacted. |
| busybox (1:1.35.0-4+b3) |
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. |
CVE-2022-28391 |
High |
Low |
SCALE 23.10.1 |
Not yet resolved |
Link |
[bookworm] - sudo <no-dsa> (Minor issue)
TrueNAS assessment: only exploitable by a privileged user |
| haproxy (2.6.12-1) |
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. |
CVE-2023-40225 |
High |
Low |
SCALE 23.10.1 |
Not yet resolved |
Link |
TrueNAS assessment: only exploitable by a privileged user |
| haproxy (2.6.12-1) |
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. |
CVE-2023-45539 |
High |
False Positive |
SCALE 23.10.1 |
N/A False Positive |
Link |
TrueNAS assessment: system not affected, We have control over the rules that used in matches for HAProxy, and this CVE is only a problem if the rules are intended to match based on the suffix: haproxy: //github BUG/MINOR: h1: do not accept '#' as part of the URI component reported
|
| perl (5.36.0-7) |
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. |
CVE-2023-31484 |
High |
Low |
SCALE 23.10.1 |
Not yet resolved |
Link |
[bookworm] - sudo <no-dsa> (Minor issue)
TrueNAS assessment: only exploitable by a privileged user |
| perl (5.36.0-7) |
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. |
CVE-2023-31486 |
High |
Low |
SCALE 23.10.1 |
Not yet resolved |
Link |
[bookworm] - sudo <no-dsa> (Minor issue)
TrueNAS assessment: only exploitable by a privileged user |
| perl (5.36.0-7) |
In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. |
CVE-2023-41700 |
High |
Low |
SCALE 23.10.1 |
Not yet resolved |
Link |
[bookworm] - sudo <no-dsa> (Minor issue)
TrueNAS assessment: only exploitable by a privileged user |
| openssl (3.0.12-) |
Issue summary: Generating excessively long X9.42 DH keys or checking
excessively long X9.42 DH keys or parameters may be very slow.
Impact summary: Applications that use the functions DH_generate_key() to
generate an X9.42 DH key may experience long delays. Likewise, applications
that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
While DH_check() performs all the necessary checks (as of CVE-2023-3817),
DH_check_pub_key() doesn't make any of these checks, and is therefore
vulnerable for excessively large P and Q parameters.
Likewise, while DH_generate_key() performs a check for an excessively large
P, it doesn't check for an excessively large Q.
An application that calls DH_generate_key() or DH_check_pub_key() and
supplies a key or parameters obtained from an untrusted source could be
vulnerable to a Denial of Service attack.
DH_generate_key() and DH_check_pub_key() are also called by a number of
other OpenSSL functions. An application calling any of those other
functions may similarly be affected. The other functions affected by this
are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().
Also vulnerable are the OpenSSL pkey command line application when using the
"-pubcheck" option, as well as the OpenSSL genpkey command line application.
The OpenSSL SSL/TLS implementation is not affected by this issue.
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. |
CVE-2023-5678 |
Medium |
Low |
SCALE 23.10.1 |
Not yet resolved |
Link |
[bookworm] - sudo <no-dsa> (Minor issue)
TrueNAS assessment: only exploitable by a privileged user |
| busybox 1:1.35.0-4+b3 |
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. |
CVE-2022-28391 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. |
CVE-2019-5747 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". |
CVE-2018-1000500 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. |
CVE-2018-1000517 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. |
CVE-2018-20679 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. |
CVE-2017-16544 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. |
CVE-2016-2147 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. |
CVE-2016-2148 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. |
CVE-2016-6301 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. |
CVE-2015-9261 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. |
CVE-2014-9645 |
Low |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. |
CVE-2013-1813 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. |
CVE-2011-2716 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. |
CVE-2011-5325 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| busybox 1:1.35.0-4+b3 |
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. |
CVE-2022-48174 |
Critical |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| file 1:5.44-3 |
Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow. |
CVE-2007-1536 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| git 1:2.39.2-1.1 |
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. |
CVE-2022-25648 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| git 1:2.39.2-1.1 |
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. |
CVE-2020-5260 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| github.com/go-git/go-git/v5 v5.9.0 |
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli. |
CVE-2023-49568 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| github.com/go-git/go-git/v5 v5.9.0 |
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli. |
CVE-2023-49569 |
Critical |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| github.com/opencontainers/runc v1.1.5 |
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. |
CVE-2024-21626 |
High |
Medium |
SCALE 23.10.2 |
Dragonfish 24.10 |
Link |
Vulnerability is not exposed from base product. Exposure comes from installing a malicious app. Use care when choosing apps. |
| github.com/rclone/rclone v1.63.0 |
In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. |
CVE-2018-12907 |
Medium |
Low |
SCALE 23.10.2 |
Not yet resolved |
Link |
|
| golang.org/x/crypto v0.13.0 |
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. |
CVE-2023-48795 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/crypto v0.5.0 |
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. |
CVE-2023-48795 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/crypto v0.7.0 |
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. |
CVE-2023-48795 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.10.0 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
CVE-2023-39325 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.10.0 |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. |
CVE-2023-3978 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.15.0 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
CVE-2023-39325 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.7.0 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
CVE-2023-39325 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.7.0 |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. |
CVE-2023-3978 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.7.0 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
CVE-2023-39325 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.7.0 |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. |
CVE-2023-3978 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.7.0 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
CVE-2023-39325 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.7.0 |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. |
CVE-2023-3978 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.8.0 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
CVE-2023-39325 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.8.0 |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. |
CVE-2023-3978 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.8.0 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
CVE-2023-39325 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.8.0 |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. |
CVE-2023-3978 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.8.0 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
CVE-2023-39325 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| golang.org/x/net v0.8.0 |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. |
CVE-2023-3978 |
Medium |
Low |
SCALE 23.10.2 |
Not yet resolved |
Link |
|
| google.golang.org/grpc v1.40.0 |
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 |
CVE-2023-32731 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/grpc v1.40.0 |
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 |
CVE-2023-32731 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/grpc v1.40.0 |
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 |
CVE-2023-32731 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.28.0 |
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. |
CVE-2021-22570 |
Low |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.28.0 |
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. |
CVE-2015-5237 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.28.0 |
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. |
CVE-2021-22570 |
Low |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.28.0 |
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. |
CVE-2015-5237 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.28.0 |
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. |
CVE-2021-22570 |
Low |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.28.0 |
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. |
CVE-2015-5237 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.28.1 |
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. |
CVE-2021-22570 |
Low |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.28.1 |
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. |
CVE-2015-5237 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.30.0 |
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. |
CVE-2021-22570 |
Low |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.30.0 |
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. |
CVE-2015-5237 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.30.0 |
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. |
CVE-2021-22570 |
Low |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.30.0 |
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. |
CVE-2015-5237 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.30.0 |
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. |
CVE-2021-22570 |
Low |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| google.golang.org/protobuf v1.30.0 |
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. |
CVE-2015-5237 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| haproxy 2.6.12-1 |
An uncontrolled resource consumption vulnerability was discovered in HAProxy which could crash the service. This issue could allow an authenticated remote attacker to run a specially crafted malicious server in an OpenShift cluster. The biggest impact is to availability. |
CVE-2023-0056 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| haproxy 2.6.12-1 |
HAProxy statistics in openstack-tripleo-image-elements are non-authenticated over the network. |
CVE-2016-2102 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| haproxy 2.6.12-1 |
HAProxy through 2.0.32, 2.1.x and 2.2.x through 2.2.30, 2.3.x and 2.4.x through 2.4.23, 2.5.x and 2.6.x before 2.6.15, 2.7.x before 2.7.10, and 2.8.x before 2.8.2 forwards empty Content-Length headers, violating RFC 9110 section 8.6. In uncommon cases, an HTTP/1 server behind HAProxy may interpret the payload as an extra request. |
CVE-2023-40225 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| haproxy 2.6.12-1 |
HAProxy before 2.8.2 accepts # as part of the URI component, which might allow remote attackers to obtain sensitive information or have unspecified other impact upon misinterpretation of a path_end rule, such as routing index.html#.png to a static server. |
CVE-2023-45539 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| k8s.io/apiserver v0.27.2 |
A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. |
CVE-2020-8561 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| keepalived 1:2.2.7-1+b2 |
In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property |
CVE-2021-44225 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| keepalived 1:2.2.7-1+b2 |
keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP status codes resulting in DoS or possibly unspecified other impact, because extract_status_code in lib/html.c has no validation of the status code and instead writes an unlimited amount of data to the heap. |
CVE-2018-19115 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
keepalived not used in proxy mode. |
| openssl 3.0.11-1~deb12u3 |
Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue. |
CVE-2023-5363 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| openssl 3.0.11-1~deb12u3 |
Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. |
CVE-2023-5678 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| openssl 3.0.11-1~deb12u3 |
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. |
CVE-2024-0727 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| openssl 3.0.11-1~deb12u3 |
Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. |
CVE-2023-6129 |
Medium |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| perl 5.36.0-7 |
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. |
CVE-2023-31486 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| perl 5.36.0-7 |
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. |
CVE-2023-31484 |
High |
False Positive |
SCALE 23.10.2 |
|
Link |
|
| perl 5.36.0-7 |
In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. |
CVE-2023-47100 |
Critical |
False Positive |
SCALE 23.10.2 |
|
Link |
Perl not used with this regular expression. |
| busybox 1:1.35.0-4+b3 |
The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command. |
CVE-2014-9645 |
Low |
False Positive |
SCALE 24.04.0 |
|
Link |
busybox not used for add_probe internally. |
| busybox 1:1.35.0-4+b3 |
util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors. |
CVE-2013-1813 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use busybox for creating directories. |
| busybox 1:1.35.0-4+b3 |
The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options. |
CVE-2011-2716 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
busybox DHCP not used. |
| busybox 1:1.35.0-4+b3 |
Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink. |
CVE-2011-5325 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use busybox for tar. |
| busybox 1:1.35.0-4+b3 |
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. |
CVE-2022-48174 |
Critical |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use busybox's ash. |
| file 1:5.44-3 |
Integer underflow in the file_printf function in the "file" program before 4.20 allows user-assisted attackers to execute arbitrary code via a file that triggers a heap-based buffer overflow. |
CVE-2007-1536 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use file internally. |
| git 1:2.39.2-1.1 |
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection. |
CVE-2022-25648 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use git fetch. |
| git 1:2.39.2-1.1 |
Affected versions of Git have a vulnerability whereby Git can be tricked into sending private credentials to a host controlled by an attacker. Git uses external "credential helper" programs to store and retrieve passwords or other credentials from secure storage provided by the operating system. Specially-crafted URLs that contain an encoded newline can inject unintended values into the credential helper protocol stream, causing the credential helper to retrieve the password for one server (e.g., good.example.com) for an HTTP request being made to another server (e.g., evil.example.com), resulting in credentials for the former being sent to the latter. There are no restrictions on the relationship between the two, meaning that an attacker can craft a URL that will present stored credentials for any host to a host of their choosing. The vulnerability can be triggered by feeding a malicious URL to git clone. However, the affected URLs look rather suspicious; the likely vector would be through systems which automatically clone URLs not visible to the user, such as Git submodules, or package systems built around Git. The problem has been patched in the versions published on April 14th, 2020, going back to v2.17.x. Anyone wishing to backport the change further can do so by applying commit 9a6bbee (the full release includes extra checks for git fsck, but that commit is sufficient to protect clients against the vulnerability). The patched versions are: 2.17.4, 2.18.3, 2.19.4, 2.20.3, 2.21.2, 2.22.3, 2.23.2, 2.24.2, 2.25.3, 2.26.1. |
CVE-2020-5260 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use git with credential helpers as part of base system. |
| google.golang.org/protobuf v1.28.0 |
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. |
CVE-2021-22570 |
Low |
False Positive |
SCALE 24.04.0 |
|
Link |
|
| google.golang.org/protobuf v1.28.0 |
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. |
CVE-2015-5237 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
Protobuf use is internal; no opportunity for authenticated attacker to reach internals. |
| google.golang.org/protobuf v1.30.0 |
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. |
CVE-2021-22570 |
Low |
False Positive |
SCALE 24.04.0 |
|
Link |
|
| google.golang.org/protobuf v1.30.0 |
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. |
CVE-2015-5237 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
Protobuf use is internal; no opportunity for authenticated attacker to reach internals. |
| google.golang.org/protobuf v1.31.0 |
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater. |
CVE-2021-22570 |
Low |
False Positive |
SCALE 24.04.0 |
|
Link |
|
| google.golang.org/protobuf v1.31.0 |
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow. |
CVE-2015-5237 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
Protobuf use is internal; no opportunity for authenticated attacker to reach internals. |
| keepalived 1:2.2.7-1+b2 |
In Keepalived through 2.2.4, the D-Bus policy does not sufficiently restrict the message destination, allowing any user to inspect and manipulate any property. This leads to access-control bypass in some situations in which an unrelated D-Bus system service has a settable (writable) property |
CVE-2021-44225 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
|
| keepalived 1:2.2.7-1+b2 |
keepalived before 2.0.7 has a heap-based buffer overflow when parsing HTTP status codes resulting in DoS or possibly unspecified other impact, because extract_status_code in lib/html.c has no validation of the status code and instead writes an unlimited amount of data to the heap. |
CVE-2018-19115 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
iX Analysis: We don't use keepalived in proxy mode, so this issue is irrelevant. |
| openssl 3.0.11-1~deb12u3 |
Issue summary: A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers. Impact summary: A truncation in the IV can result in non-uniqueness, which could result in loss of confidentiality for some cipher modes. When calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() the provided OSSL_PARAM array is processed after the key and IV have been established. Any alterations to the key length, via the "keylen" parameter or the IV length, via the "ivlen" parameter, within the OSSL_PARAM array will not take effect as intended, potentially causing truncation or overreading of these values. The following ciphers and cipher modes are impacted: RC2, RC4, RC5, CCM, GCM and OCB. For the CCM, GCM and OCB cipher modes, truncation of the IV can result in loss of confidentiality. For example, when following NIST's SP 800-38D section 8.2.1 guidance for constructing a deterministic IV for AES in GCM mode, truncation of the counter portion could lead to IV reuse. Both truncations and overruns of the key and overruns of the IV will produce incorrect results and could, in some cases, trigger a memory exception. However, these issues are not currently assessed as security critical. Changing the key and/or IV lengths is not considered to be a common operation and the vulnerable API was recently introduced. Furthermore it is likely that application developers will have spotted this problem during testing since decryption would fail unless both peers in the communication were similarly vulnerable. For these reasons we expect the probability of an application being vulnerable to this to be quite low. However if an application is vulnerable then this issue is considered very serious. For these reasons we have assessed this issue as Moderate severity overall. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this because the issue lies outside of the FIPS provider boundary. OpenSSL 3.1 and 3.0 are vulnerable to this issue. |
CVE-2023-5363 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
Changing IV size is not present in current codebase. |
| openssl 3.0.11-1~deb12u3 |
Issue summary: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow. Impact summary: Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. While DH_check() performs all the necessary checks (as of CVE-2023-3817), DH_check_pub_key() doesn't make any of these checks, and is therefore vulnerable for excessively large P and Q parameters. Likewise, while DH_generate_key() performs a check for an excessively large P, it doesn't check for an excessively large Q. An application that calls DH_generate_key() or DH_check_pub_key() and supplies a key or parameters obtained from an untrusted source could be vulnerable to a Denial of Service attack. DH_generate_key() and DH_check_pub_key() are also called by a number of other OpenSSL functions. An application calling any of those other functions may similarly be affected. The other functions affected by this are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate(). Also vulnerable are the OpenSSL pkey command line application when using the "-pubcheck" option, as well as the OpenSSL genpkey command line application. The OpenSSL SSL/TLS implementation is not affected by this issue. The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue. |
CVE-2023-5678 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
Openssl not used this way. |
| openssl 3.0.11-1~deb12u3 |
Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions. Impact summary: If an attacker can influence whether the POLY1305 MAC algorithm is used, the application state might be corrupted with various application dependent consequences. The POLY1305 MAC (message authentication code) implementation in OpenSSL for PowerPC CPUs restores the contents of vector registers in a different order than they are saved. Thus the contents of some of these vector registers are corrupted when returning to the caller. The vulnerable code is used only on newer PowerPC processors supporting the PowerISA 2.07 instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However unless the compiler uses the vector registers for storing pointers, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. The POLY1305 MAC algorithm is most frequently used as part of the CHACHA20-POLY1305 AEAD (authenticated encryption with associated data) algorithm. The most common usage of this AEAD cipher is with TLS protocol versions 1.2 and 1.3. If this cipher is enabled on the server a malicious client can influence whether this AEAD cipher is used. This implies that TLS server applications using OpenSSL can be potentially impacted. However we are currently not aware of any concrete application that would be affected by this issue therefore we consider this a Low severity security issue. |
CVE-2023-6129 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
System not PowerPC based. |
| perl 5.36.0-7+deb12u1 |
HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to verify certificates. |
CVE-2023-31486 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
HTTP::Tiny not used this way in codebase. |
| perl 5.36.0-7+deb12u1 |
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. |
CVE-2023-31484 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
CPAN not used internally. |
| perl 5.36.0-7+deb12u1 |
In Perl before 5.38.2, S_parse_uniprop_string in regcomp.c can write to unallocated space because a property name associated with a \p{...} regular expression construct is mishandled. The earliest affected version is 5.30.0. |
CVE-2023-47100 |
Critical |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use vulnerable regexp in perl. |
| github.com/go-git/go-git/v5 v5.9.0 |
A denial of service (DoS) vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to perform denial of service attacks by providing specially crafted responses from a Git server which triggers resource exhaustion in go-git clients. Applications using only the in-memory filesystem supported by go-git are not affected by this vulnerability. This is a go-git implementation issue and does not affect the upstream git cli. |
CVE-2023-49568 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
artifact |
| github.com/go-git/go-git/v5 v5.9.0 |
A path traversal vulnerability was discovered in go-git versions prior to v5.11. This vulnerability allows an attacker to create and amend files across the filesystem. In the worse case scenario, remote code execution could be achieved. Applications are only affected if they are using the ChrootOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#ChrootOS , which is the default when using "Plain" versions of Open and Clone funcs (e.g. PlainClone). Applications using BoundOS https://pkg.go.dev/github.com/go-git/go-billy/v5/osfs#BoundOS or in-memory filesystems are not affected by this issue. This is a go-git implementation issue and does not affect the upstream git cli. |
CVE-2023-49569 |
Critical |
False Positive |
SCALE 24.04.0 |
|
Link |
|
| github.com/rclone/rclone v1.63.0 |
In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. |
CVE-2018-12907 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
Opened NAS-127131 |
| golang.org/x/crypto v0.13.0 |
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. |
CVE-2023-48795 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We do not use Go-based ssh internally. |
| golang.org/x/crypto v0.7.0 |
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust. |
CVE-2023-48795 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We do not use Go-based ssh internally. |
| golang.org/x/net v0.10.0 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
CVE-2023-39325 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
Not serving HTTP via go code. |
| golang.org/x/net v0.10.0 |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. |
CVE-2023-3978 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't generate HTML from this package. |
| golang.org/x/net v0.15.0 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
CVE-2023-39325 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
Not serving HTTP via go code. |
| golang.org/x/net v0.7.0 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
CVE-2023-39325 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
Not serving HTTP via go code. |
| golang.org/x/net v0.7.0 |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. |
CVE-2023-3978 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't generate HTML from this package. |
| golang.org/x/net v0.8.0 |
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. |
CVE-2023-39325 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
Not serving HTTP via go code. |
| golang.org/x/net v0.8.0 |
Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack. |
CVE-2023-3978 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't generate HTML from this package. |
| google.golang.org/grpc v1.40.0 |
When gRPC HTTP2 stack raised a header size exceeded error, it skipped parsing the rest of the HPACK frame. This caused any HPACK table mutations to also be skipped, resulting in a desynchronization of HPACK tables between sender and receiver. If leveraged, say, between a proxy and a backend, this could lead to requests from the proxy being interpreted as containing headers from different proxy clients - leading to an information leak that can be used for privilege escalation or data exfiltration. We recommend upgrading beyond the commit contained in https://github.com/grpc/grpc/pull/33005 https://github.com/grpc/grpc/pull/33005 |
CVE-2023-32731 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
gRPC only used internally. |
| k8s.io/apiserver v0.29.0 |
A security issue was discovered in Kubernetes where actors that control the responses of MutatingWebhookConfiguration or ValidatingWebhookConfiguration requests are able to redirect kube-apiserver requests to private networks of the apiserver. If that user can view kube-apiserver logs when the log level is set to 10, they can view the redirected responses and headers in the logs. |
CVE-2020-8561 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
Not used. |
| github.com/mholt/archiver/v3 v3.5.1 |
A flaw was discovered in the mholt/archiver package. This flaw allows an attacker to create a specially crafted tar file, which, when unpacked, may allow access to restricted files or directories. This issue can allow the creation or overwriting of files with the user's or application's privileges using the library. |
CVE-2024-0406 |
Unknown |
False Positive |
SCALE 24.04.0 |
|
Link |
archiver not used to unpack arbitrary files. |
| busybox 1:1.35.0-4+b3 |
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. |
CVE-2022-28391 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use busybox for netstat. |
| busybox 1:1.35.0-4+b3 |
An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679. |
CVE-2019-5747 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use busybox DHCP |
| busybox 1:1.35.0-4+b3 |
Busybox contains a Missing SSL certificate validation vulnerability in The "busybox wget" applet that can result in arbitrary code execution. This attack appear to be exploitable via Simply download any file over HTTPS using "busybox wget https://compromised-domain.com/important-file". |
CVE-2018-1000500 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use busybox wget |
| busybox 1:1.35.0-4+b3 |
BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow vulnerability in Busybox wget that can result in heap buffer overflow. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fixed in after commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e. |
CVE-2018-1000517 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use busybox's wget |
| busybox 1:1.35.0-4+b3 |
An issue was discovered in BusyBox before 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP server, client, and relay) allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to verification in udhcp_get_option() in networking/udhcp/common.c that 4-byte options are indeed 4 bytes. |
CVE-2018-20679 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use busybox dhcp |
| busybox 1:1.35.0-4+b3 |
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. |
CVE-2017-16544 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use busybox shell. |
| busybox 1:1.35.0-4+b3 |
Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. |
CVE-2016-2147 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use busybox DHCP. |
| busybox 1:1.35.0-4+b3 |
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. |
CVE-2016-2148 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use busybox DHCP |
| busybox 1:1.35.0-4+b3 |
The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop. |
CVE-2016-6301 |
High |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't use busybox NTP |
| busybox 1:1.35.0-4+b3 |
huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file. |
CVE-2015-9261 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
busybox not used for unzip. |
| github.com/opencontainers/runc v1.1.5 |
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. |
CVE-2024-21626 |
High |
Medium |
SCALE 24.04.2 |
|
Link |
Apps need to be installed with root access. As such, this is only exploitable by deliberately installing malicious apps. |
| github.com/opencontainers/runc v1.1.5 |
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. |
CVE-2024-21626 |
High |
Medium |
SCALE 24.04.0 |
|
Link |
Apps need to be installed with root access. As such, this is only exploitable by deliberately installing malicious apps. |
| github.com/opencontainers/runc v1.1.6 |
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. |
CVE-2024-21626 |
High |
Medium |
SCALE 24.04.0 |
|
Link |
Apps need to be installed with root access. As such, this is only exploitable by deliberately installing malicious apps. |
| openssl 3.0.11-1~deb12u3 |
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. |
CVE-2024-0727 |
Medium |
False Positive |
SCALE 24.04.0 |
|
Link |
We don't process arbitrary PKCS11 files. |
| google.golang.org/protobuf v1.31.0 |
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. |
CVE-2024-24786 |
Unknown |
False Positive |
SCALE 24.04.0 |
|
Link |
protojson.Unmarshall not used to process such invalid JSON. |
| google.golang.org/protobuf v1.28.0 |
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. |
CVE-2024-24786 |
Unknown |
False Positive |
SCALE 24.04.0 |
|
Link |
protojson.Unmarshall not used to process such invalid JSON. |
| google.golang.org/protobuf v1.30.0 |
The protojson.Unmarshal function can enter an infinite loop when unmarshaling certain forms of invalid JSON. This condition can occur when unmarshaling into a message which contains a google.protobuf.Any value, or when the UnmarshalOptions.DiscardUnknown option is set. |
CVE-2024-24786 |
Unknown |
False Positive |
SCALE 24.04.0 |
|
Link |
protojson.Unmarshall not used to process such invalid JSON. |
| qemu-block-extra 1:7.2+dfsg-7+deb12u6 |
The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case. |
CVE-2022-36648 |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
QEMU guests are outside of security scope. Never run untrusted VMs or applications on your TrueNAS. |
| busybox 1:1.35.0-4+b3 |
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. |
CVE-2022-48174 |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS does not make use of busybox in a way that can be reached by this exploit. |
| zlib1g 1:1.2.13.dfsg-1 |
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API. |
CVE-2023-45853 |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS doesn't use MiniZip in an exploitable way. |
| stdlib go1.21.6 |
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. |
CVE-2024-24790 |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS doesn't use Go's stdlib for IPv6 IP address checks. |
| git 1:2.39.2-1.1 |
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. |
CVE-2024-32002 |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS doesn't use git internally in an exploitable way for this vulnerability. |
| krb5-user 1.20.1-2+deb12u1 |
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. |
CVE-2024-37371 |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS isn't acting as a kerberos server. |
| libarchive13 3.6.2-1+deb12u1 |
Libarchive before 3.7.4 allows name out-of-bounds access when a ZIP archive has an empty-name file and mac-ext is enabled. This occurs in slurp_central_directory in archive_read_support_format_zip.c. |
CVE-2024-37407 |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
libarchive is not used on untrusted files. |
| wget 1.21.3-1+b2 |
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. |
CVE-2024-38428 |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
wget is not used on untrusted URLs. |
| keepalived 1:2.2.7-1+b2 |
In the vrrp_ipsets_handler handler (fglobal_parser.c) of keepalived through 2.3.1, an integer overflow can occur. NOTE: this CVE Record might not be worthwhile because an empty ipset name must be configured by the user. |
CVE-2024-41184 |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS is not configured in mode needed for this exploit. |
| libexpat1 2.5.0-1 |
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). |
CVE-2024-45491 |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
Not a 32-bit platform. |
| libexpat1 2.5.0-1 |
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). |
CVE-2024-45492 |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
Not a 32-bit platform. |
| libssl3 3.0.13-1~deb12u2 |
Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. |
CVE-2024-5535 |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS doesn't use NPN. FIPS is not affected. |
| libnss3 2:3.87.1-1 |
A mismatch between allocator and deallocator could have lead to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. |
CVE-2024-6602 |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
Firefox and Thunderbird not present. |
| gitpython 3.1.30 |
GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments |
GHSA-pr76-5cm5-w9cj |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS doesn't use GitPython with untrusted git repos. |
| github.com/docker/docker v27.0.3+incompatible |
Authz zero length regression |
GHSA-v23v-6jw2-98fq |
Critical |
False Positive |
SCALE 24.10.0 |
|
Link |
Do not run untrusted applications on your TrueNAS system. |
| python3-dnspython 2.3.0-1 |
The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via a birthday attack that uses in-bailiwick referrals to conduct cache poisoning against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability" or "the Kaminsky bug." |
CVE-2008-1447 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS does not use dnspython for resolution. |
| libopenjp2-7 2.5.0-2 |
A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg. |
CVE-2021-3575 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS does not use libopenjp for processing untrusted images. |
| busybox 1:1.35.0-4+b3 |
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. |
CVE-2022-28391 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS does not use BusyBox to run netstat. |
| firmware-amd-graphics 20240709-2~bpo12+1 |
Improper input validation in some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2022-38076 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
WiFi firmware not used in TrueNAS. |
| qemu-block-extra 1:7.2+dfsg-7+deb12u6 |
An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. |
CVE-2022-3872 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Do not run untrusted guest VMs. |
| libgfapi0 10.3-5 |
In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free. |
CVE-2022-48340 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Gluster FS not used internally. |
| qemu-block-extra 1:7.2+dfsg-7+deb12u6 |
A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host. |
CVE-2023-1386 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Do not run untrusted guest VMs. |
| libharfbuzz0b 6.0.0+dfsg-3 |
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. |
CVE-2023-25193 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS is not using harfbuzz to display attacker chosen strings. |
| git 1:2.39.2-1.1 |
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. |
CVE-2023-25652 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS doesn't run git apply internally. |
| vim-common 2:9.0.1378-2 |
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. |
CVE-2023-2610 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
|
| dnsmasq-base 2.89-1 |
An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020. |
CVE-2023-28450 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
dnsmasq is not used in a vulnerable way. |
| git 1:2.39.2-1.1 |
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. |
CVE-2023-29007 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS does not use git on untrusted repos. |
| python3-dnspython 2.3.0-1 |
eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. |
CVE-2023-29483 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS does not use dnspython for arbitrary DNS resolution |
| libldap-2.5-0 2.5.13+dfsg-5 |
A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. |
CVE-2023-2953 |
High |
Low |
SCALE 24.10.0 |
|
Link |
iX considers risk to be low. There are no known exploits of this null pointer bug. |
| dmidecode 3.4-1 |
Dmidecode before 3.5 allows -dump-bin to overwrite a local file. This has security relevance because, for example, execution of Dmidecode via Sudo is plausible. |
CVE-2023-30630 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
dmidecode is not used in a vulnerable way. |
| amd64-microcode 3.20230808.1.1~deb12u1 |
Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution. |
CVE-2023-31315 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
No untrusted code with ring0 access. |
| libperl5.36 5.36.0-7+deb12u1 |
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. |
CVE-2023-31484 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
CPAN is not used in a vulnerable way. |
| sysstat 12.6.1-1 |
sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. |
CVE-2023-33204 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
sysstat is not used in a vulnerable way. |
| truenas-sssd 2.9.5-2 |
A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately. |
CVE-2023-3758 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Race condition that requires non-default configuration. |
| busybox 1:1.35.0-4+b3 |
An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. |
CVE-2023-39810 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Busybox not used for CPIO |
| shim-unsigned 15.7-1 |
A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully. |
CVE-2023-40547 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Shim not used for http-based booting. |
| shim-unsigned 15.7-1 |
A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase. |
CVE-2023-40548 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
32-bit platform. |
| sudo 1.9.13p3-1+deb12u1 |
Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. |
CVE-2023-42465 |
High |
Low |
SCALE 24.10.0 |
|
Link |
Rowhammer attacks are hardware-based; it's nearly impossible to completely fix this issue in software. Do not run untrusted VMs or containers on your TrueNAS. |
| intel-microcode 3.20240514.1~deb12u1 |
Improper isolation in the Intel(R) Core(TM) Ultra Processor stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2023-42667 |
High |
Low |
SCALE 24.10.0 |
|
Link |
Exploit requires local authenticated access and specific Intel CPU |
| python3-urllib3 1.26.12-1 |
urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user. However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been patched in urllib3 version 1.26.17 or 2.0.5. |
CVE-2023-43804 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Cookies aren't used in the vulenrable fashion in TrueNAS. |
| nginx 1.22.1-9 |
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
CVE-2023-44487 |
High |
Low |
SCALE 24.10.0 |
|
Link |
Do not expost your TrueNAS HTTP ports to the internet. |
| ovmf 2022.11-6+deb12u1 |
EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. |
CVE-2023-45236 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
VM exploit: Do not run untrusted VMs on your TrueNAS. |
| ovmf 2022.11-6+deb12u1 |
EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. |
CVE-2023-45237 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
VM exploit: Do not run untrusted VMs on your TrueNAS. |
| stdlib go1.21.6 |
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. |
CVE-2023-45288 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Go's stdlib not used for serving HTTP. |
| vim-common 2:9.0.1378-2 |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848. |
CVE-2023-4738 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
|
| vim-common 2:9.0.1378-2 |
Use After Free in GitHub repository vim/vim prior to 9.0.1858. |
CVE-2023-4752 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
|
| vim-common 2:9.0.1378-2 |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. |
CVE-2023-4781 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
|
| python3-cryptography 38.0.4-3 |
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6. |
CVE-2023-49083 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
PKCS7 not used internally. |
| dnsmasq-base 2.89-1 |
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. |
CVE-2023-50387 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
dnsmasq not used in a way that this exploit can reach. |
| python3-cryptography 38.0.4-3 |
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. |
CVE-2023-50782 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Not serving TLS via this code. |
| p7zip 16.02+dfsg-8 |
The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. |
CVE-2023-52168 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
p7zip not used internally. |
| libtiff6 4.5.0-6+deb12u1 |
An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. |
CVE-2023-52355 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
libtiff not used internally. |
| libtiff6 4.5.0-6+deb12u1 |
A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. |
CVE-2023-52356 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
libtiff not used internally. |
| libexpat1 2.5.0-1 |
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. |
CVE-2023-52425 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Unreachable denial of service. |
| vim-common 2:9.0.1378-2 |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969. |
CVE-2023-5344 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
|
| libsqlite3-0 3.40.1-2 |
A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-248999. |
CVE-2023-7104 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Untrusted code cannot reach sqlite calls. |
| libpython3.11 3.11.2-6+deb12u2 |
A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. |
CVE-2024-0397 |
High |
Low |
SCALE 24.10.0 |
|
Link |
No exploits known beyond denial of service. |
| libnss3 2:3.87.1-1 |
An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9. |
CVE-2024-0743 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Firefox and Thunderbird not included in TrueNAS. |
| bind9-dnsutils 1:9.18.24-1 |
A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. |
CVE-2024-0760 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS is not serving DNS. |
| bind9-dnsutils 1:9.18.24-1 |
Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. |
CVE-2024-1737 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS is not using bind9 for cachinng results. |
| bind9-dnsutils 1:9.18.24-1 |
If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. |
CVE-2024-1975 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS is not using bind9 to cache results. |
| vim-common 2:9.0.1378-2 |
Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. |
CVE-2024-22667 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
|
| curl 7.88.1-10+deb12u5 |
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. |
CVE-2024-2398 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS does not use libcurl in a vulnerable way. |
| stdlib go1.21.6 |
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. |
CVE-2024-24784 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS does not use ParseAddressList |
| stdlib go1.21.6 |
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. |
CVE-2024-24791 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS is not using net/http client. |
| intel-microcode 3.20240514.1~deb12u1 |
Incorrect behavior order in transition between executive monitor and SMI transfer monitor (STM) in some Intel(R) Processor may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-24853 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Requires local privileged access. |
| libxml2 2.9.14+dfsg-1.3~deb12u1 |
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. |
CVE-2024-25062 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS is not processing XML from attackers. |
| python3-cryptography 38.0.4-3 |
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. |
CVE-2024-26130 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS does not use cryptography package in a vulnerable way. |
| krb5-user 1.20.1-2+deb12u1 |
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c. |
CVE-2024-26461 |
High |
Low |
SCALE 24.10.0 |
|
Link |
Potential memory leak; no security implications |
| python3-truenas-ipaclient 4.12.1-2 |
A vulnerability was found in FreeIPA in how the initial implementation of MS-SFU by MIT Kerberos was missing a condition for granting the "forwardable" flag on S4U2Self tickets. Fixing this mistake required adding a special case for the check_allowed_to_delegate() function: If the target service argument is NULL, then it means the KDC is probing for general constrained delegation rules and not checking a specific S4U2Proxy request.
In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to match the changes from upstream MIT Kerberos 1.20. However, a mistake resulting in this mechanism applies in cases where the target service argument is set AND where it is unset. This results in S4U2Proxy requests being accepted regardless of whether or not there is a matching service delegation rule. |
CVE-2024-2698 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
This only applies to FreeIPA servers. TrueNAS acts only as a client. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. |
CVE-2024-31143 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Don't run untrusted guests. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. |
CVE-2024-31145 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Do not run untrusted guest VMs. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. |
CVE-2024-31146 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Do not run untrusted guest VMs. |
| python3-truenas-ipaclient 4.12.1-2 |
A vulnerability was found in FreeIPA in a way when a Kerberos TGS-REQ is encrypted using the client’s session key. This key is different for each new session, which protects it from brute force attacks. However, the ticket it contains is encrypted using the target principal key directly. For user principals, this key is a hash of a public per-principal randomly-generated salt and the user’s password.
If a principal is compromised it means the attacker would be able to retrieve tickets encrypted to any principal, all of them being encrypted by their own key directly. By taking these tickets and salts offline, the attacker could run brute force attacks to find character strings able to decrypt tickets when combined to a principal salt (i.e. find the principal’s password). |
CVE-2024-3183 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
|
| git 1:2.39.2-1.1 |
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. |
CVE-2024-32004 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Git not used with untrusted repositories. |
| git 1:2.39.2-1.1 |
Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources. |
CVE-2024-32465 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Git not used with untrusted repos. |
| libunbound8 1.17.1-2+deb12u2 |
The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue. |
CVE-2024-33655 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
DNS resolution not used in vulnerable fashion. |
| stdlib go1.21.12 |
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. |
CVE-2024-34156 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Decode not used. |
| stdlib go1.21.12 |
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. |
CVE-2024-34158 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Build time issue. |
| krb5-user 1.20.1-2+deb12u1 |
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. |
CVE-2024-37370 |
High |
Low |
SCALE 24.10.0 |
|
Link |
No proof-of-concepts exist at this time. |
| libpython3.11 3.11.2-6+deb12u2 |
The “ipaddress” module contained incorrect information about whether certain IPv4 and IPv6 addresses were designated as “globally reachable” or “private”. This affected the is_private and is_global properties of the ipaddress.IPv4Address, ipaddress.IPv4Network, ipaddress.IPv6Address, and ipaddress.IPv6Network classes, where values wouldn’t be returned in accordance with the latest information from the IANA Special-Purpose Address Registries. CPython 3.12.4 and 3.13.0a6 contain updated information from these registries and thus have the intended behavior. |
CVE-2024-4032 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Address typing not relied upon for security issues. |
| bind9-dnsutils 1:9.18.24-1 |
Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. |
CVE-2024-4076 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Assertion failure won't cause system issue. |
| qemu-block-extra 1:7.2+dfsg-7+deb12u6 |
A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. |
CVE-2024-4467 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Don't use untrusted QEMU images. |
| libexpat1 2.5.0-1 |
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. |
CVE-2024-45490 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS doesn't use libexpat on untrusted XML. |
| liboath0 2.6.7-3.1 |
pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink. |
CVE-2024-47191 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
TrueNAS does not use vulnerable PAM config required for this vulnerability. |
| libarchive13 3.6.2-1+deb12u1 |
execute_filter_audio in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. |
CVE-2024-48957 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
libarchive not used for audio. |
| libarchive13 3.6.2-1+deb12u1 |
execute_filter_delta in archive_read_support_format_rar.c in libarchive before 3.7.5 allows out-of-bounds access via a crafted archive file because src can move beyond dst. |
CVE-2024-48958 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
libarchive not used for RAR |
| libssl3 3.0.13-1~deb12u2 |
Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. |
CVE-2024-6119 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
libssl not used for TLS client certificate checking |
| libpython3.11 3.11.2-6+deb12u2 |
There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives. |
CVE-2024-6232 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
libpython not used with regular expressions in tar file processing. |
| python3-pkg-resources 66.1.1-1 |
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. |
CVE-2024-6345 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
setuptools not used at runtime |
| qemu-block-extra 1:7.2+dfsg-7+deb12u6 |
|
CVE-2024-6519 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
QEMU not used for LSI HBA emulation. |
| libnss3 2:3.87.1-1 |
When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128. |
CVE-2024-6609 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Firefox and Thunderbird not available on system. |
| libgtk-3-0 3.24.38-2~deb12u1 |
A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory. |
CVE-2024-6655 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
GTK applications not reachable from TrueNAS internals. |
| libtiff6 4.5.0-6+deb12u1 |
A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service. |
CVE-2024-7006 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
libtiff not exposed to forced memory failures |
| libnbd0 1.14.2-1 |
A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic. |
CVE-2024-7383 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
libnbd not used in vulnerable fashion |
| qemu-block-extra 1:7.2+dfsg-7+deb12u6 |
A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. |
CVE-2024-7409 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
qemu not used in vulnerable fashion |
| libpython3.11 3.11.2-6+deb12u2 |
There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value. |
CVE-2024-7592 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
CPython not used in vulnerable fashion. |
| gitpython 3.1.30 |
Untrusted search path under some conditions on Windows allows arbitrary code execution |
GHSA-2mqj-m65w-jghx |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Windows vulnerability. |
| pillow 9.4.0 |
Arbitrary Code Execution in Pillow |
GHSA-3f63-hfp8-52jq |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Pillow code not reachable for arbitrary images. |
| cryptography 38.0.4 |
Python Cryptography package vulnerable to Bleichenbacher timing oracle attack |
GHSA-3ww4-gg4f-jr7f |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Don't use RSA keys going forward. TrueNAS does not choose RSA for crypto keys. |
| pillow 9.4.0 |
Bundled libwebp in Pillow vulnerable |
GHSA-56pw-mpj4-fxww |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Pollow code not reachable for untrusted images. |
| aiohttp 3.8.5 |
aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests |
GHSA-5m98-qgg9-wh84 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
aiohttp not used for arbitrary POST requesrts. |
| cryptography 38.0.4 |
cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override |
GHSA-6vqw-3v5j-54x4 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
cryptography not called with unmatching certs and keys. |
| pillow 9.4.0 |
Pillow Denial of Service vulnerability |
GHSA-8ghj-p4vj-mr35 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Pillow not used for arbitrary image processing. |
| go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 |
otelgrpc DoS vulnerability due to unbound cardinality metrics |
GHSA-8pgv-569h-w5rw |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
DoS not reachable in TrueNAS code. |
| asyncssh 2.13.2 |
AsyncSSH Rogue Session Attack |
GHSA-c35q-ffpf-5qpm |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
asyncssh not used in vulnerable fashion |
| setuptools 66.1.1 |
setuptools vulnerable to Command Injection via package URL |
GHSA-cx63-2mw6-8hw5 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
setuptools not used for untrusted packages. |
| pycryptodomex 3.11.0 |
PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption |
GHSA-j225-cvw7-qrx7 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
OAEP decrytption not used internally in TrueNAS. |
| pillow 9.4.0 |
libwebp: OOB write in BuildHuffmanTable |
GHSA-j7hp-h8jx-5ppr |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Pillow not used for untrusted image processing. |
| markdown-it-py 2.1.0 |
markdown-it-py Denial of Service vulnerability in the command line interface |
GHSA-jrwr-5x3p-hvc3 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
markdown not used in vulnerable fashion. |
| markdown-it-py 2.1.0 |
markdown-it-py Denial of Service vulnerability |
GHSA-vrjv-mxr7-vjf8 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
markdown not used in vulnerable fashion. |
| gitpython 3.1.30 |
GitPython untrusted search path on Windows systems leading to arbitrary code execution |
GHSA-wfm5-v35h-vwf4 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Windows vulnerability. |
| cryptography 38.0.4 |
Vulnerable OpenSSL included in cryptography wheels |
GHSA-x4qr-2fvf-3mr5 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
Not building from from supplied wheels. |
| certifi 2022.9.24 |
Removal of e-Tugra root certificate |
GHSA-xqr8-7jwr-rhp7 |
High |
False Positive |
SCALE 24.10.0 |
|
Link |
External certificate issue. |
| stdlib go1.21.6 |
When following an HTTP redirect to a domain which is not a subdomain match or exact match of the initial domain, an http.Client does not forward sensitive headers such as "Authorization" or "Cookie". For example, a redirect from foo.com to www.foo.com will forward the Authorization header, but a redirect to bar.com will not. A maliciously crafted HTTP redirect could cause sensitive headers to be unexpectedly forwarded. |
CVE-2023-45289 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Product does not follow HTTP redirects. |
| stdlib go1.21.6 |
When parsing a multipart form (either explicitly with Request.ParseMultipartForm or implicitly with Request.FormValue, Request.PostFormValue, or Request.FormFile), limits on the total size of the parsed form were not applied to the memory consumed while reading a single form line. This permits a maliciously crafted input containing very long lines to cause allocation of arbitrarily large amounts of memory, potentially leading to memory exhaustion. With fix, the ParseMultipartForm function now correctly limits the maximum size of form lines. |
CVE-2023-45290 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Go stdlib not used for form processing. |
| libncurses6 6.4-4 |
ncurses 6.4-20230610 has a NULL pointer dereference in tgetstr in tinfo/lib_termcap.c. |
CVE-2023-45918 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
ncurses not used for basic operations. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
Recent x86 CPUs offer functionality named Control-flow Enforcement Technology (CET). A sub-feature of this are Shadow Stacks (CET-SS). CET-SS is a hardware feature designed to protect against Return Oriented Programming attacks. When enabled, traditional stacks holding both data and return addresses are accompanied by so called "shadow stacks", holding little more than return addresses. Shadow stacks aren't writable by normal instructions, and upon function returns their contents are used to check for possible manipulation of a return address coming from the traditional stack. In particular certain memory accesses need intercepting by Xen. In various cases the necessary emulation involves kind of replaying of the instruction. Such replaying typically involves filling and then invoking of a stub. Such a replayed instruction may raise an exceptions, which is expected and dealt with accordingly. Unfortunately the interaction of both of the above wasn't right: Recovery involves removal of a call frame from the (traditional) stack. The counterpart of this operation for the shadow stack was missing. |
CVE-2023-46841 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Don't run untrusted guests. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
Unlike 32-bit PV guests, HVM guests may switch freely between 64-bit and other modes. This in particular means that they may set registers used to pass 32-bit-mode hypercall arguments to values outside of the range 32-bit code would be able to set them to. When processing of hypercalls takes a considerable amount of time, the hypervisor may choose to invoke a hypercall continuation. Doing so involves putting (perhaps updated) hypercall arguments in respective registers. For guests not running in 64-bit mode this further involves a certain amount of translation of the values. Unfortunately internal sanity checking of these translated values assumes high halves of registers to always be clear when invoking a hypercall. When this is found not to be the case, it triggers a consistency check in the hypervisor and causes a crash. |
CVE-2023-46842 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Don't run untrusted guests. |
| dnsmasq-base 2.89-1 |
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. |
CVE-2023-50868 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
dnsmasq not used for DNSSEC in TrueNAS |
| libnss3 2:3.87.1-1 |
NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. |
CVE-2023-5388 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Firefox and Thunderbird not available in TrueNAS. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
A Speculative Race Condition (SRC) vulnerability that impacts modern CPU architectures supporting speculative execution (related to Spectre V1) has been disclosed. An unauthenticated attacker can exploit this vulnerability to disclose arbitrary data from the CPU using race conditions to access the speculative executable code paths. |
CVE-2024-2193 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Do not run untrusted guest VMs. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
|
CVE-2024-2201 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
DO not run untrusted guest VMs. |
| stdlib go1.21.6 |
Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates. |
CVE-2024-24783 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Go stdlib not used for certificate verification. |
| stdlib go1.21.6 |
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. |
CVE-2024-24785 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
go stdlib not used to parse untrusted JSON |
| libssl3 3.0.13-1~deb12u2 |
Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. |
CVE-2024-2511 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Requires non-default TLS server config. |
| iperf3 3.12-1+deb12u1 |
iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. |
CVE-2024-26306 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
iperf3 server not used. |
| krb5-user 1.20.1-2+deb12u1 |
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. |
CVE-2024-26458 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Memory leak |
| krb5-user 1.20.1-2+deb12u1 |
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. |
CVE-2024-26462 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Memory leak. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html |
CVE-2024-31142 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Do not run untrusted guest VMs. |
| libclang-cpp14 1:14.0.6-12 |
LLVM before 18.1.3 generates code in which the LR register can be overwritten without data being saved to the stack, and thus there can sometimes be an exploitable error in the flow of control. This affects the ARM backend and can be demonstrated with Clang. NOTE: the vendor perspective is "we don't have strong objections for a CVE to be created ... It does seem that the likelihood of this miscompile enabling an exploit remains very low, because the miscompile resulting in this JOP gadget is such that the function is most likely to crash on most valid inputs to the function. So, if this function is covered by any testing, the miscompile is most likely to be discovered before the binary is shipped to production." |
CVE-2024-31852 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
ARM cpu only. |
| stdlib go1.21.12 |
Calling any of the Parse functions on Go source code which contains deeply nested literals can cause a panic due to stack exhaustion. |
CVE-2024-34155 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Build-time problem only. |
| libopenipmi0 2.0.33-1+b1 |
OpenIPMI before 2.0.36 has an out-of-bounds array access (for authentication type) in the ipmi_sim simulator, resulting in denial of service or (with very low probability) authentication bypass or code execution. |
CVE-2024-42934 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Simulator not used. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. |
CVE-2024-45817 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Do not run untrusted VM guests in TrueNAS. |
| libssl3 3.0.13-1~deb12u2 |
|
CVE-2024-4741 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Vulnerable code not used in TrueNAS |
| qemu-block-extra 1:7.2+dfsg-7+deb12u6 |
|
CVE-2024-7730 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
Do not run untrusted VM guests. |
| libpython3.11 3.11.2-6+deb12u2 |
There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected. |
CVE-2024-8088 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
zipfile code not used to parse untrusted zip files. |
| libssl3 3.0.13-1~deb12u2 |
Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "named curves" are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent problematic input values. Thus the likelihood of existence of a vulnerable application is low. In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, so problematic inputs cannot occur in the context of processing X.509 certificates. Any problematic use-cases would have to be using an "exotic" curve encoding. The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_*() functions. Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, that make it possible to represent invalid field polynomials with a zero constant term, via the above or similar APIs, may terminate abruptly as a result of reading or writing outside of array bounds. Remote code execution cannot easily be ruled out. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. |
CVE-2024-9143 |
Unknown |
False Positive |
SCALE 24.10.0 |
|
Link |
libssl not used for explicit EC curves. |
| busybox 1:1.35.0-4+b3 |
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. |
CVE-2022-48174 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS does not make use of busybox in a way that can be reached by this exploit. |
| zlib1g 1:1.2.13.dfsg-1 |
MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product. NOTE: pyminizip through 0.2.6 is also vulnerable because it bundles an affected zlib version, and exposes the applicable MiniZip code through its compress API. |
CVE-2023-45853 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS doesn't use MiniZip in an exploitable way. |
| rsync 3.2.7-1 |
A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer. |
CVE-2024-12084 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
rsync is not used in daemon mode within TrueNAS SCALE. |
| stdlib go1.21.6 |
The various Is methods (IsPrivate, IsLoopback, etc) did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. |
CVE-2024-24790 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS doesn't use Go's stdlib for IPv6 IP address checks. |
| git 1:2.39.2-1.1 |
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources. |
CVE-2024-32002 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS doesn't use git internally in an exploitable way for this vulnerability. |
| krb5-user 1.20.1-2+deb12u1 |
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields. |
CVE-2024-37371 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS isn't acting as a kerberos server. |
| wget 1.21.3-1+b2 |
url.c in GNU Wget through 1.24.5 mishandles semicolons in the userinfo subcomponent of a URI, and thus there may be insecure behavior in which data that was supposed to be in the userinfo subcomponent is misinterpreted to be part of the host subcomponent. |
CVE-2024-38428 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
wget is not used on untrusted URLs. |
| libexpat1 2.5.0-1 |
An issue was discovered in libexpat before 2.6.3. dtdCopy in xmlparse.c can have an integer overflow for nDefaultAtts on 32-bit platforms (where UINT_MAX equals SIZE_MAX). |
CVE-2024-45491 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
Not a 32-bit platform. |
| libexpat1 2.5.0-1 |
An issue was discovered in libexpat before 2.6.3. nextScaffoldPart in xmlparse.c can have an integer overflow for m_groupSize on 32-bit platforms (where UINT_MAX equals SIZE_MAX). |
CVE-2024-45492 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
Not a 32-bit platform. |
| libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 |
GStreamer is a library for constructing graphs of media-handling components. A stack-buffer overflow has been detected in the `vorbis_handle_identification_packet` function within `gstvorbisdec.c`. The position array is a stack-allocated buffer of size 64. If vd->vi.channels exceeds 64, the for loop will write beyond the boundaries of the position array. The value written will always be `GST_AUDIO_CHANNEL_POSITION_NONE`. This vulnerability allows someone to overwrite the EIP address allocated in the stack. Additionally, this bug can overwrite the `GstAudioInfo` info structure. This vulnerability is fixed in 1.24.10. |
CVE-2024-47538 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
Qemu dependency. |
| libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 |
GStreamer is a library for constructing graphs of media-handling components. An OOB-read vulnerability has been detected in the format_channel_mask function in gst-discoverer.c. The vulnerability affects the local array position, which is defined with a fixed size of 64 elements. However, the function gst_discoverer_audio_info_get_channels may return a guint channels value greater than 64. This causes the for loop to attempt access beyond the bounds of the position array, resulting in an OOB-read when an index greater than 63 is used. This vulnerability can result in reading unintended bytes from the stack. Additionally, the dereference of value->value_nick after the OOB-read can lead to further memory corruption or undefined behavior. This vulnerability is fixed in 1.24.10. |
CVE-2024-47600 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
Qemu dependency. |
| libgstreamer1.0-0 1.22.0-2 |
GStreamer is a library for constructing graphs of media-handling components. An integer underflow has been detected in the function qtdemux_parse_theora_extension within qtdemux.c. The vulnerability occurs due to an underflow of the gint size variable, which causes size to hold a large unintended value when cast to an unsigned integer. This 32-bit negative value is then cast to a 64-bit unsigned integer (0xfffffffffffffffa) in a subsequent call to gst_buffer_new_and_alloc. The function gst_buffer_new_allocate then attempts to allocate memory, eventually calling _sysmem_new_block. The function _sysmem_new_block adds alignment and header size to the (unsigned) size, causing the overflow of the 'slice_size' variable. As a result, only 0x89 bytes are allocated, despite the large input size. When the following memcpy call occurs in gst_buffer_fill, the data from the input file will overwrite the content of the GstMapInfo info structure. Finally, during the call to gst_memory_unmap, the overwritten memory may cause a function pointer hijack, as the mem->allocator->mem_unmap_full function is called with a corrupted pointer. This function pointer overwrite could allow an attacker to alter the execution flow of the program, leading to arbitrary code execution. This vulnerability is fixed in 1.24.10. |
CVE-2024-47606 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
Qemu dependency. |
| libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 |
GStreamer is a library for constructing graphs of media-handling components. stack-buffer overflow has been detected in the gst_opus_dec_parse_header function within `gstopusdec.c'. The pos array is a stack-allocated buffer of size 64. If n_channels exceeds 64, the for loop will write beyond the boundaries of the pos array. The value written will always be GST_AUDIO_CHANNEL_POSITION_NONE. This bug allows to overwrite the EIP address allocated in the stack. This vulnerability is fixed in 1.24.10. |
CVE-2024-47607 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
Qemu dependency. |
| libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 |
GStreamer is a library for constructing graphs of media-handling components. An OOB-Write has been detected in the function gst_parse_vorbis_setup_packet within vorbis_parse.c. The integer size is read from the input file without proper validation. As a result, size can exceed the fixed size of the pad->vorbis_mode_sizes array (which size is 256). When this happens, the for loop overwrites the entire pad structure with 0s and 1s, affecting adjacent memory as well. This OOB-write can overwrite up to 380 bytes of memory beyond the boundaries of the pad->vorbis_mode_sizes array. This vulnerability is fixed in 1.24.10. |
CVE-2024-47615 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
Qemu dependency. |
| libglib2.0-0 2.74.6-2+deb12u3 |
gio/gsocks4aproxy.c in GNOME GLib before 2.82.1 has an off-by-one error and resultant buffer overflow because SOCKS4_CONN_MSG_LEN is not sufficient for a trailing '\0' character. |
CVE-2024-52533 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
SOCKS4 not being used. |
| libssl3 3.0.13-1~deb12u2 |
Issue summary: Calling the OpenSSL API function SSL_select_next_proto with an empty supported client protocols buffer may cause a crash or memory contents to be sent to the peer. Impact summary: A buffer overread can have a range of potential consequences such as unexpected application beahviour or a crash. In particular this issue could result in up to 255 bytes of arbitrary private data from memory being sent to the peer leading to a loss of confidentiality. However, only applications that directly call the SSL_select_next_proto function with a 0 length list of supported client protocols are affected by this issue. This would normally never be a valid scenario and is typically not under attacker control but may occur by accident in the case of a configuration or programming error in the calling application. The OpenSSL API function SSL_select_next_proto is typically used by TLS applications that support ALPN (Application Layer Protocol Negotiation) or NPN (Next Protocol Negotiation). NPN is older, was never standardised and is deprecated in favour of ALPN. We believe that ALPN is significantly more widely deployed than NPN. The SSL_select_next_proto function accepts a list of protocols from the server and a list of protocols from the client and returns the first protocol that appears in the server list that also appears in the client list. In the case of no overlap between the two lists it returns the first item in the client list. In either case it will signal whether an overlap between the two lists was found. In the case where SSL_select_next_proto is called with a zero length client list it fails to notice this condition and returns the memory immediately following the client list pointer (and reports that there was no overlap in the lists). This function is typically called from a server side application callback for ALPN or a client side application callback for NPN. In the case of ALPN the list of protocols supplied by the client is guaranteed by libssl to never be zero in length. The list of server protocols comes from the application and should never normally be expected to be of zero length. In this case if the SSL_select_next_proto function has been called as expected (with the list supplied by the client passed in the client/client_len parameters), then the application will not be vulnerable to this issue. If the application has accidentally been configured with a zero length server list, and has accidentally passed that zero length server list in the client/client_len parameters, and has additionally failed to correctly handle a "no overlap" response (which would normally result in a handshake failure in ALPN) then it will be vulnerable to this problem. In the case of NPN, the protocol permits the client to opportunistically select a protocol when there is no overlap. OpenSSL returns the first client protocol in the no overlap case in support of this. The list of client protocols comes from the application and should never normally be expected to be of zero length. However if the SSL_select_next_proto function is accidentally called with a client_len of 0 then an invalid memory pointer will be returned instead. If the application uses this output as the opportunistic protocol then the loss of confidentiality will occur. This issue has been assessed as Low severity because applications are most likely to be vulnerable if they are using NPN instead of ALPN - but NPN is not widely used. It also requires an application configuration or programming error. Finally, this issue would not typically be under attacker control making active exploitation unlikely. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. Due to the low severity of this issue we are not issuing new releases of OpenSSL at this time. The fix will be included in the next releases when they become available. |
CVE-2024-5535 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS doesn't use NPN. FIPS is not affected. |
| libnss3 2:3.87.1-1 |
A mismatch between allocator and deallocator could have led to memory corruption. This vulnerability affects Firefox < 128, Firefox ESR < 115.13, Thunderbird < 115.13, and Thunderbird < 128. |
CVE-2024-6602 |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
Firefox and Thunderbird not present. |
| pillow 9.4.0 |
Arbitrary Code Execution in Pillow |
GHSA-3f63-hfp8-52jq |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
Pillow code not reachable for arbitrary images. |
| gitpython 3.1.30 |
GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments |
GHSA-pr76-5cm5-w9cj |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS doesn't use GitPython with untrusted git repos. |
| github.com/docker/docker v27.0.3+incompatible |
Authz zero length regression |
GHSA-v23v-6jw2-98fq |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
Do not run untrusted applications on your TrueNAS system. |
| golang.org/x/crypto v0.17.0 |
Misuse of ServerConfig.PublicKeyCallback may cause authorization bypass in golang.org/x/crypto |
GHSA-v778-237x-gjrc |
critical |
False Positive |
SCALE 24.10.2 |
|
Link |
Functions not in use. |
| python3-rsa 4.8-1 |
It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA. |
CVE-2020-25658 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Python-rsa not in use. |
| libopenjp2-7 2.5.0-2 |
A heap-based buffer overflow was found in openjpeg in color.c:379:42 in sycc420_to_rgb when decompressing a crafted .j2k file. An attacker could use this to execute arbitrary code with the permissions of the application compiled against openjpeg. |
CVE-2021-3575 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS does not use libopenjp for processing untrusted images. |
| firmware-amd-graphics 20240709-2~bpo12+1 |
Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2022-27635 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Wifi not used. |
| qemu-block-extra 1:7.2+dfsg-7+deb12u6 |
An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. |
CVE-2022-3872 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Do not run untrusted guest VMs. |
| firmware-amd-graphics 20240709-2~bpo12+1 |
Improper access control for some Intel(R) PROSet/Wireless WiFi and Killer(TM) WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2022-40964 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Wifi not used. |
| firmware-amd-graphics 20240709-2~bpo12+1 |
Protection mechanism failure for some Intel(R) PROSet/Wireless WiFi software may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2022-46329 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Wifi not used.
|
| libgfapi0 10.3-5 |
In Gluster GlusterFS 11.0, there is an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free. |
CVE-2022-48340 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Gluster FS not used internally. |
| libxml2 2.9.14+dfsg-1.3~deb12u1 |
xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. |
CVE-2022-49043 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Qemu dependency. |
| libharfbuzz0b 6.0.0+dfsg-3 |
hb-ot-layout-gsubgpos.hh in HarfBuzz through 6.0.0 allows attackers to trigger O(n^2) growth via consecutive marks during the process of looking back for base glyphs when attaching marks. |
CVE-2023-25193 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS is not using harfbuzz to display attacker chosen strings. |
| git 1:2.39.2-1.1 |
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, by feeding specially crafted input to `git apply --reject`, a path outside the working tree can be overwritten with partially controlled contents (corresponding to the rejected hunk(s) from the given patch). A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid using `git apply` with `--reject` when applying patches from an untrusted source. Use `git apply --stat` to inspect a patch before applying; avoid applying one that create a conflict where a link corresponding to the `*.rej` file exists. |
CVE-2023-25652 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS doesn't run git apply internally. |
| vim-common 2:9.0.1378-2 |
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.1532. |
CVE-2023-2610 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Only vulnerable if untrusted file is run in script mode. |
| dnsmasq-base 2.89-1 |
An issue was discovered in Dnsmasq before 2.90. The default maximum EDNS.0 UDP packet size was set to 4096 but should be 1232 because of DNS Flag Day 2020. |
CVE-2023-28450 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
dnsmasq is not used in a vulnerable way. |
| git 1:2.39.2-1.1 |
Git is a revision control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted `.gitmodules` file with submodule URLs that are longer than 1024 characters can used to exploit a bug in `config.c::git_config_copy_or_rename_section_in_file()`. This bug can be used to inject arbitrary configuration into a user's `$GIT_DIR/config` when attempting to remove the configuration section associated with that submodule. When the attacker injects configuration values which specify executables to run (such as `core.pager`, `core.editor`, `core.sshCommand`, etc.) this can lead to a remote code execution. A fix A fix is available in versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1. As a workaround, avoid running `git submodule deinit` on untrusted repositories or without prior inspection of any submodule sections in `$GIT_DIR/config`. |
CVE-2023-29007 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS does not use git on untrusted repos. |
| python3-dnspython 2.3.0-1 |
eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1. |
CVE-2023-29483 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS does not use dnspython for arbitrary DNS resolution |
| libldap-2.5-0 2.5.13+dfsg-5 |
A vulnerability was found in openldap. This security flaw causes a null pointer dereference in ber_memalloc_x() function. |
CVE-2023-2953 |
high |
Low |
SCALE 24.10.2 |
|
Link |
iX considers risk to be low. There are no known exploits of this null pointer bug. |
| amd64-microcode 3.20230808.1.1~deb12u1 |
Improper validation in a model specific register (MSR) could allow a malicious program with ring0 access to modify SMM configuration while SMI lock is enabled, potentially leading to arbitrary code execution. |
CVE-2023-31315 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
No untrusted code with ring0 access. |
| libperl5.36 5.36.0-7+deb12u1 |
CPAN.pm before 2.35 does not verify TLS certificates when downloading distributions over HTTPS. |
CVE-2023-31484 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
CPAN is not used in a vulnerable way. |
| sysstat 12.6.1-1 |
sysstat through 12.7.2 allows a multiplication integer overflow in check_overflow in common.c. NOTE: this issue exists because of an incomplete fix for CVE-2022-39377. |
CVE-2023-33204 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
sysstat is not used in a vulnerable way. |
| truenas-sssd 2.9.5-2 |
A race condition flaw was found in sssd where the GPO policy is not consistently applied for authenticated users. This may lead to improper authorization issues, granting or denying access to resources inappropriately. |
CVE-2023-3758 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Race condition that requires non-default configuration. |
| busybox 1:1.35.0-4+b3 |
An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. |
CVE-2023-39810 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Busybox not used for CPIO |
| shim-unsigned 15.7-1 |
A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully. |
CVE-2023-40547 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Shim not used for http-based booting. |
| shim-unsigned 15.7-1 |
A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase. |
CVE-2023-40548 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
32-bit platform. |
| sudo 1.9.13p3-1+deb12u1 |
Sudo before 1.9.15 might allow row hammer attacks (for authentication bypass or privilege escalation) because application logic sometimes is based on not equaling an error value (instead of equaling a success value), and because the values do not resist flips of a single bit. |
CVE-2023-42465 |
high |
Low |
SCALE 24.10.2 |
|
Link |
Rowhammer attacks are hardware-based; it's nearly impossible to completely fix this issue in software. Do not run untrusted VMs or containers on your TrueNAS. |
| intel-microcode 3.20240514.1~deb12u1 |
Improper isolation in the Intel(R) Core(TM) Ultra Processor stream cache mechanism may allow an authenticated user to potentially enable escalation of privilege via local access. |
CVE-2023-42667 |
high |
Low |
SCALE 24.10.2 |
|
Link |
Exploit requires local authenticated access and specific Intel CPU |
| nginx 1.22.1-9 |
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
CVE-2023-44487 |
high |
Low |
SCALE 24.10.2 |
|
Link |
Do not expost your TrueNAS HTTP ports to the internet. |
| stdlib go1.21.6 |
An attacker may cause an HTTP/2 endpoint to read arbitrary amounts of header data by sending an excessive number of CONTINUATION frames. Maintaining HPACK state requires parsing and processing all HEADERS and CONTINUATION frames on a connection. When a request's headers exceed MaxHeaderBytes, no memory is allocated to store the excess headers, but they are still parsed. This permits an attacker to cause an HTTP/2 endpoint to read arbitrary amounts of header data, all associated with a request which is going to be rejected. These headers can include Huffman-encoded data which is significantly more expensive for the receiver to decode than for an attacker to send. The fix sets a limit on the amount of excess header frames we will process before closing a connection. |
CVE-2023-45288 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Go's stdlib not used for serving HTTP. |
| vim-common 2:9.0.1378-2 |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1848. |
CVE-2023-4738 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Requires obscure vim use. No known exploit. |
| vim-common 2:9.0.1378-2 |
Use After Free in GitHub repository vim/vim prior to 9.0.1858. |
CVE-2023-4752 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Requires vim use; no escalation |
| vim-common 2:9.0.1378-2 |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1873. |
CVE-2023-4781 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Requires vim use; no escalation |
| dnsmasq-base 2.89-1 |
Certain DNSSEC aspects of the DNS protocol (in RFC 4033, 4034, 4035, 6840, and related RFCs) allow remote attackers to cause a denial of service (CPU consumption) via one or more DNSSEC responses, aka the "KeyTrap" issue. One of the concerns is that, when there is a zone with many DNSKEY and RRSIG records, the protocol specification implies that an algorithm must evaluate all combinations of DNSKEY and RRSIG records. |
CVE-2023-50387 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
dnsmasq not used in a way that this exploit can reach. |
| python3-cryptography 38.0.4-3 |
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. |
CVE-2023-50782 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Not serving TLS via this code. |
| p7zip 16.02+dfsg-8 |
The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc. |
CVE-2023-52168 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
p7zip not used internally. |
| libtiff6 4.5.0-6+deb12u1 |
An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB. |
CVE-2023-52355 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
libtiff not used internally. |
| libtiff6 4.5.0-6+deb12u1 |
A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service. |
CVE-2023-52356 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
libtiff not used internally. |
| libexpat1 2.5.0-1 |
libexpat through 2.5.0 allows a denial of service (resource consumption) because many full reparsings are required in the case of a large token for which multiple buffer fills are needed. |
CVE-2023-52425 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Unreachable denial of service. |
| vim-common 2:9.0.1378-2 |
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1969. |
CVE-2023-5344 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Requires vim use; no escalation |
| libnss3 2:3.87.1-1 |
An unchecked return value in TLS handshake code could have caused a potentially exploitable crash. This vulnerability affects Firefox < 122, Firefox ESR < 115.9, and Thunderbird < 115.9. |
CVE-2024-0743 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Firefox and Thunderbird not included in TrueNAS. |
| bind9-dnsutils 1:9.18.24-1 |
A malicious client can send many DNS messages over TCP, potentially causing the server to become unstable while the attack is in progress. The server may recover after the attack ceases. Use of ACLs will not mitigate the attack. This issue affects BIND 9 versions 9.18.1 through 9.18.27, 9.19.0 through 9.19.24, and 9.18.11-S1 through 9.18.27-S1. |
CVE-2024-0760 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS is not serving DNS. |
| rsync 3.2.7-1 |
A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time. |
CVE-2024-12085 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Rsync not used in daemon mode. |
| bind9-dnsutils 1:9.18.24-1 |
Resolver caches and authoritative zone databases that hold significant numbers of RRs for the same hostname (of any RTYPE) can suffer from degraded performance as content is being added or updated, and also when handling client queries for this name. This issue affects BIND 9 versions 9.11.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.4-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. |
CVE-2024-1737 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS is not using bind9 for cachinng results. |
| bind9-dnsutils 1:9.18.24-1 |
If a server hosts a zone containing a "KEY" Resource Record, or a resolver DNSSEC-validates a "KEY" Resource Record from a DNSSEC-signed domain in cache, a client can exhaust resolver CPU resources by sending a stream of SIG(0) signed requests. This issue affects BIND 9 versions 9.0.0 through 9.11.37, 9.16.0 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.9.3-S1 through 9.11.37-S1, 9.16.8-S1 through 9.16.49-S1, and 9.18.11-S1 through 9.18.27-S1. |
CVE-2024-1975 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS is not using bind9 to cache results. |
| libarchive13 3.6.2-1+deb12u1 |
Windows libarchive Remote Code Execution Vulnerability |
CVE-2024-20696 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
No windows involvement. |
| intel-microcode 3.20240514.1~deb12u1 |
Incorrect default permissions in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-21820 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Requires privileged access. |
| vim-common 2:9.0.1378-2 |
Vim before 9.0.2142 has a stack-based buffer overflow because did_set_langmap in map.c calls sprintf to write to the error buffer that is passed down to the option callback functions. |
CVE-2024-22667 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Requires vim use; no escalation |
| intel-microcode 3.20240514.1~deb12u1 |
Improper conditions check in some Intel(R) Xeon(R) processor memory controller configurations when using Intel(R) SGX may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-23918 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Requires privileged access. |
| curl 7.88.1-10+deb12u5 |
When an application tells libcurl it wants to allow HTTP/2 server push, and the amount of received headers for the push surpasses the maximum allowed limit (1000), libcurl aborts the server push. When aborting, libcurl inadvertently does not free all the previously allocated headers and instead leaks the memory. Further, this error condition fails silently and is therefore not easily detected by an application. |
CVE-2024-2398 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS does not use libcurl in a vulnerable way. |
| stdlib go1.21.6 |
The ParseAddressList function incorrectly handles comments (text within parentheses) within display names. Since this is a misalignment with conforming address parsers, it can result in different trust decisions being made by programs using different parsers. |
CVE-2024-24784 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS does not use ParseAddressList |
| stdlib go1.21.6 |
The net/http HTTP/1.1 client mishandled the case where a server responds to a request with an "Expect: 100-continue" header with a non-informational (200 or higher) status. This mishandling could leave a client connection in an invalid state, where the next request sent on the connection will fail. An attacker sending a request to a net/http/httputil.ReverseProxy proxy can exploit this mishandling to cause a denial of service by sending "Expect: 100-continue" requests which elicit a non-informational response from the backend. Each such request leaves the proxy with an invalid connection, and causes one subsequent request using that connection to fail. |
CVE-2024-24791 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS is not using net/http client. |
| intel-microcode 3.20240514.1~deb12u1 |
Incorrect behavior order in transition between executive monitor and SMI transfer monitor (STM) in some Intel(R) Processor may allow a privileged user to potentially enable escalation of privilege via local access. |
CVE-2024-24853 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Requires local privileged access. |
| libxml2 2.9.14+dfsg-1.3~deb12u1 |
An issue was discovered in libxml2 before 2.11.7 and 2.12.x before 2.12.5. When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. |
CVE-2024-25062 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS is not processing XML from attackers. |
| python3-cryptography 38.0.4-3 |
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised. |
CVE-2024-26130 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS does not use cryptography package in a vulnerable way. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
An optional feature of PCI MSI called "Multiple Message" allows a device to use multiple consecutive interrupt vectors. Unlike for MSI-X, the setting up of these consecutive vectors needs to happen all in one go. In this handling an error path could be taken in different situations, with or without a particular lock held. This error path wrongly releases the lock even when it is not currently held. |
CVE-2024-31143 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Don't run untrusted guests. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
Certain PCI devices in a system might be assigned Reserved Memory Regions (specified via Reserved Memory Region Reporting, "RMRR") for Intel VT-d or Unity Mapping ranges for AMD-Vi. These are typically used for platform tasks such as legacy USB emulation. Since the precise purpose of these regions is unknown, once a device associated with such a region is active, the mappings of these regions need to remain continuouly accessible by the device. In the logic establishing these mappings, error handling was flawed, resulting in such mappings to potentially remain in place when they should have been removed again. Respective guests would then gain access to memory regions which they aren't supposed to have access to. |
CVE-2024-31145 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Do not run untrusted guest VMs. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
When multiple devices share resources and one of them is to be passed through to a guest, security of the entire system and of respective guests individually cannot really be guaranteed without knowing internals of any of the involved guests. Therefore such a configuration cannot really be security-supported, yet making that explicit was so far missing. Resources the sharing of which is known to be problematic include, but are not limited to - - PCI Base Address Registers (BARs) of multiple devices mapping to the same page (4k on x86), - - INTx lines. |
CVE-2024-31146 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Do not run untrusted guest VMs. |
| git 1:2.39.2-1.1 |
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, an attacker can prepare a local repository in such a way that, when cloned, will execute arbitrary code during the operation. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid cloning repositories from untrusted sources. |
CVE-2024-32004 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Git not used with untrusted repositories. |
| git 1:2.39.2-1.1 |
Git is a revision control system. The Git project recommends to avoid working in untrusted repositories, and instead to clone it first with `git clone --no-local` to obtain a clean copy. Git has specific protections to make that a safe operation even with an untrusted source repository, but vulnerabilities allow those protections to be bypassed. In the context of cloning local repositories owned by other users, this vulnerability has been covered in CVE-2024-32004. But there are circumstances where the fixes for CVE-2024-32004 are not enough: For example, when obtaining a `.zip` file containing a full copy of a Git repository, it should not be trusted by default to be safe, as e.g. hooks could be configured to run within the context of that repository. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. As a workaround, avoid using Git in repositories that have been obtained via archives from untrusted sources. |
CVE-2024-32465 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Git not used with untrusted repos. |
| libunbound8 1.17.1-2+deb12u2 |
The DNS protocol in RFC 1035 and updates allows remote attackers to cause a denial of service (resource consumption) by arranging for DNS queries to be accumulated for seconds, such that responses are later sent in a pulsing burst (which can be considered traffic amplification in some cases), aka the "DNSBomb" issue. |
CVE-2024-33655 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
DNS resolution not used in vulnerable fashion. |
| stdlib go1.21.12 |
Calling Decoder.Decode on a message which contains deeply nested structures can cause a panic due to stack exhaustion. This is a follow-up to CVE-2022-30635. |
CVE-2024-34156 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Decode not used. |
| stdlib go1.21.12 |
Calling Parse on a "// +build" build tag line with deeply nested expressions can cause a panic due to stack exhaustion. |
CVE-2024-34158 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Build time issue. |
| krb5-user 1.20.1-2+deb12u1 |
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. |
CVE-2024-37370 |
high |
Low |
SCALE 24.10.2 |
|
Link |
No proof-of-concepts exist at this time. |
| bind9-dnsutils 1:9.18.24-1 |
Client queries that trigger serving stale data and that also require lookups in local authoritative zone data may result in an assertion failure. This issue affects BIND 9 versions 9.16.13 through 9.16.50, 9.18.0 through 9.18.27, 9.19.0 through 9.19.24, 9.11.33-S1 through 9.11.37-S1, 9.16.13-S1 through 9.16.50-S1, and 9.18.11-S1 through 9.18.27-S1. |
CVE-2024-4076 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Assertion failure won't cause system issue. |
| qemu-block-extra 1:7.2+dfsg-7+deb12u6 |
A flaw was found in the QEMU disk image utility (qemu-img) 'info' command. A specially crafted image file containing a `json:{}` value describing block devices in QMP could cause the qemu-img process on the host to consume large amounts of memory or CPU time, leading to denial of service or read/write to an existing external file. |
CVE-2024-4467 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Don't use untrusted QEMU images. |
| libexpat1 2.5.0-1 |
An issue was discovered in libexpat before 2.6.3. xmlparse.c does not reject a negative length for XML_ParseBuffer. |
CVE-2024-45490 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS doesn't use libexpat on untrusted XML. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
In x86's APIC (Advanced Programmable Interrupt Controller) architecture, error conditions are reported in a status register. Furthermore, the OS can opt to receive an interrupt when a new error occurs. It is possible to configure the error interrupt with an illegal vector, which generates an error when an error interrupt is raised. This case causes Xen to recurse through vlapic_error(). The recursion itself is bounded; errors accumulate in the the status register and only generate an interrupt when a new status bit becomes set. However, the lock protecting this state in Xen will try to be taken recursively, and deadlock. |
CVE-2024-45817 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Do not run untrusted VM guests in TrueNAS. |
| liboath0 2.6.7-3.1 |
pam_oath.so in oath-toolkit 2.6.7 through 2.6.11 before 2.6.12 allows root privilege escalation because, in the context of PAM code running as root, it mishandles usersfile access, such as by calling fchown in the presence of a symlink. |
CVE-2024-47191 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
TrueNAS does not use vulnerable PAM config required for this vulnerability. |
| libssl3 3.0.13-1~deb12u2 |
Issue summary: Calling the OpenSSL API function SSL_free_buffers may cause memory to be accessed that was previously freed in some situations Impact summary: A use after free can have a range of potential consequences such as the corruption of valid data, crashes or execution of arbitrary code. However, only applications that directly call the SSL_free_buffers function are affected by this issue. Applications that do not call this function are not vulnerable. Our investigations indicate that this function is rarely used by applications. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. While these scenarios could occur accidentally during normal operation a malicious attacker could attempt to engineer a stituation where this occurs. We are not aware of this issue being actively exploited. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. |
CVE-2024-4741 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Vulnerable code not used in TrueNAS |
| libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 |
GStreamer is a library for constructing graphs of media-handling components. An OOB-write vulnerability has been identified in the gst_ssa_parse_remove_override_codes function of the gstssaparse.c file. This function is responsible for parsing and removing SSA (SubStation Alpha) style override codes, which are enclosed in curly brackets ({}). The issue arises when a closing curly bracket "}" appears before an opening curly bracket "{" in the input string. In this case, memmove() incorrectly duplicates a substring. With each successive loop iteration, the size passed to memmove() becomes progressively larger (strlen(end+1)), leading to a write beyond the allocated memory bounds. This vulnerability is fixed in 1.24.10. |
CVE-2024-47541 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Library not used in vulnerable specific configuration. |
| libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 |
GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference has been discovered in the id3v2_read_synch_uint function, located in id3v2.c. If id3v2_read_synch_uint is called with a null work->hdr.frame_data, the pointer guint8 *data is accessed without validation, resulting in a null pointer dereference. This vulnerability can result in a Denial of Service (DoS) by triggering a segmentation fault (SEGV). This vulnerability is fixed in 1.24.10. |
CVE-2024-47542 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Library not used in vulnerable specific configuration. |
| libgstreamer-plugins-base1.0-0 1.22.0-3+deb12u2 |
GStreamer is a library for constructing graphs of media-handling components. A null pointer dereference vulnerability has been detected in the parse_lrc function within gstsubparse.c. The parse_lrc function calls strchr() to find the character ']' in the string line. The pointer returned by this call is then passed to g_strdup(). However, if the string line does not contain the character ']', strchr() returns NULL, and a call to g_strdup(start + 1) leads to a null pointer dereference. This vulnerability is fixed in 1.24.10. |
CVE-2024-47835 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Library not used in vulnerable specific configuration. |
| proftpd-core 1.3.8+dfsg-4+deb12u3 |
In ProFTPD through 1.3.8b before cec01cc, supplemental group inheritance grants unintended access to GID 0 because of the lack of supplemental groups from mod_sql. |
CVE-2024-48651 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
proftpd not used with mod_sql |
| iperf3 3.12-1+deb12u1 |
iperf v3.17.1 was discovered to contain a segmentation violation via the iperf_exchange_parameters() function. |
CVE-2024-53580 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Requires iperf use; no escalation |
| python3-jinja2 3.1.2-1 |
Jinja is an extensible templating engine. In versions on the 3.x branch prior to 3.1.5, a bug in the Jinja compiler allows an attacker that controls both the content and filename of a template to execute arbitrary Python code, regardless of if Jinja's sandbox is used. To exploit the vulnerability, an attacker needs to control both the filename and the contents of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates where the template author can also choose the template filename. This vulnerability is fixed in 3.1.5. |
CVE-2024-56201 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Requires attacker control of template |
| python3-jinja2 3.1.2-1 |
Jinja is an extensible templating engine. Prior to 3.1.5, An oversight in how the Jinja sandboxed environment detects calls to str.format allows an attacker that controls the content of a template to execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a template. Whether that is the case depends on the type of application using Jinja. This vulnerability impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to str.format and ensures they don't escape the sandbox. However, it's possible to store a reference to a malicious string's format method, then pass that to a filter that calls it. No such filters are built-in to Jinja, but could be present through custom filters in an application. After the fix, such indirect calls are also handled by the sandbox. This vulnerability is fixed in 3.1.5. |
CVE-2024-56326 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Requires attacker control of template |
| grub-common 2.99-9 |
GNU GRUB (aka GRUB2) through 2.12 has a heap-based buffer overflow in fs/hfs.c via crafted sblock data in an HFS filesystem. |
CVE-2024-56737 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Requires HFS use |
| libssl3 3.0.13-1~deb12u2 |
Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. |
CVE-2024-6119 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
libssl not used for TLS client certificate checking |
| python3-pkg-resources 66.1.1-1 |
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. The issue is fixed in version 70.0. |
CVE-2024-6345 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
setuptools not used at runtime |
| qemu-block-extra 1:7.2+dfsg-7+deb12u6 |
A use-after-free vulnerability was found in the QEMU LSI53C895A SCSI Host Bus Adapter emulation. This issue can lead to a crash or VM escape. |
CVE-2024-6519 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
QEMU not used for LSI HBA emulation. |
| libnss3 2:3.87.1-1 |
When almost out-of-memory an elliptic curve key which was never allocated could have been freed again. This vulnerability affects Firefox < 128 and Thunderbird < 128. |
CVE-2024-6609 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Firefox and Thunderbird not available on system. |
| libgtk-3-0 3.24.38-2~deb12u1 |
A flaw was found in the GTK library. Under certain conditions, it is possible for a library to be injected into a GTK application from the current working directory. |
CVE-2024-6655 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
GTK applications not reachable from TrueNAS internals. |
| libtiff6 4.5.0-6+deb12u1 |
A null pointer dereference flaw was found in Libtiff via `tif_dirinfo.c`. This issue may allow an attacker to trigger memory allocation failures through certain means, such as restricting the heap space size or injecting faults, causing a segmentation fault. This can cause an application crash, eventually leading to a denial of service. |
CVE-2024-7006 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
libtiff not exposed to forced memory failures |
| libnbd0 1.14.2-1 |
A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic. |
CVE-2024-7383 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
libnbd not used in vulnerable fashion |
| qemu-block-extra 1:7.2+dfsg-7+deb12u6 |
A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline. |
CVE-2024-7409 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
qemu not used in vulnerable fashion |
| qemu-block-extra 1:7.2+dfsg-7+deb12u6 |
A heap buffer overflow was found in the virtio-snd device in QEMU. When reading input audio in the virtio-snd input callback, virtio_snd_pcm_in_cb, the function did not check whether the iov can fit the data buffer. This issue can trigger an out-of-bounds write if the size of the virtio queue element is equal to virtio_snd_pcm_status, which makes the available space for audio data zero. |
CVE-2024-7730 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Do not run untrusted VM guests. |
| gitpython 3.1.30 |
Untrusted search path under some conditions on Windows allows arbitrary code execution |
GHSA-2mqj-m65w-jghx |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Windows vulnerability. |
| cryptography 38.0.4 |
Python Cryptography package vulnerable to Bleichenbacher timing oracle attack |
GHSA-3ww4-gg4f-jr7f |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Don't use RSA keys going forward. TrueNAS does not choose RSA for crypto keys. |
| pillow 9.4.0 |
Pillow buffer overflow vulnerability |
GHSA-44wm-f244-xhp3 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Pillow not installed. |
| pillow 9.4.0 |
Bundled libwebp in Pillow vulnerable |
GHSA-56pw-mpj4-fxww |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Pollow code not reachable for untrusted images. |
| aiohttp 3.8.5 |
aiohttp is vulnerable to directory traversal |
GHSA-5h86-8mv2-jq9f |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
aiohttp not used in vulnerable fashion |
| aiohttp 3.8.5 |
aiohttp vulnerable to Denial of Service when trying to parse malformed POST requests |
GHSA-5m98-qgg9-wh84 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
aiohttp not used for arbitrary POST requesrts. |
| cryptography 38.0.4 |
cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override |
GHSA-6vqw-3v5j-54x4 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
cryptography not called with unmatching certs and keys. |
| pillow 9.4.0 |
Pillow Denial of Service vulnerability |
GHSA-8ghj-p4vj-mr35 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Pillow not used for arbitrary image processing. |
| go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 |
otelgrpc DoS vulnerability due to unbound cardinality metrics |
GHSA-8pgv-569h-w5rw |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
DoS not reachable in TrueNAS code. |
| asyncssh 2.13.2 |
AsyncSSH Rogue Session Attack |
GHSA-c35q-ffpf-5qpm |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
asyncssh not used in vulnerable fashion |
| setuptools 66.1.1 |
setuptools vulnerable to Command Injection via package URL |
GHSA-cx63-2mw6-8hw5 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
setuptools not used for untrusted packages. |
| pycryptodomex 3.11.0 |
PyCryptodome and pycryptodomex side-channel leakage for OAEP decryption |
GHSA-j225-cvw7-qrx7 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
OAEP decrytption not used internally in TrueNAS. |
| pillow 9.4.0 |
libwebp: OOB write in BuildHuffmanTable |
GHSA-j7hp-h8jx-5ppr |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Pillow not used for untrusted image processing. |
| markdown-it-py 2.1.0 |
markdown-it-py Denial of Service vulnerability in the command line interface |
GHSA-jrwr-5x3p-hvc3 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
markdown not used in vulnerable fashion. |
| urllib3 1.26.12 |
`Cookie` HTTP header isn't stripped on cross-origin redirects |
GHSA-v845-jxx5-vc9f |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
urllib not used in vulnerable fashion |
| markdown-it-py 2.1.0 |
markdown-it-py Denial of Service vulnerability |
GHSA-vrjv-mxr7-vjf8 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
markdown not used in vulnerable fashion. |
| golang.org/x/net v0.17.0 |
Non-linear parsing of case-insensitive content in golang.org/x/net/html |
GHSA-w32m-9786-jp63 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Library not used in vulnerable fashion |
| gitpython 3.1.30 |
GitPython untrusted search path on Windows systems leading to arbitrary code execution |
GHSA-wfm5-v35h-vwf4 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Windows vulnerability. |
| cryptography 38.0.4 |
Vulnerable OpenSSL included in cryptography wheels |
GHSA-x4qr-2fvf-3mr5 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
Not building from from supplied wheels. |
| certifi 2022.9.24 |
Removal of e-Tugra root certificate |
GHSA-xqr8-7jwr-rhp7 |
high |
False Positive |
SCALE 24.10.2 |
|
Link |
External certificate issue. |
| dnsmasq-base 2.89-1 |
The Closest Encloser Proof aspect of the DNS protocol (in RFC 5155 when RFC 9276 guidance is skipped) allows remote attackers to cause a denial of service (CPU consumption for SHA-1 computations) via DNSSEC responses in a random subdomain attack, aka the "NSEC3" issue. The RFC 5155 specification implies that an algorithm must perform thousands of iterations of a hash function in certain situations. |
CVE-2023-50868 |
unknown |
False Positive |
SCALE 24.10.2 |
|
Link |
dnsmasq not used for DNSSEC in TrueNAS |
| stdlib go1.21.6 |
If errors returned from MarshalJSON methods contain user controlled data, they may be used to break the contextual auto-escaping behavior of the html/template package, allowing for subsequent actions to inject unexpected content into templates. |
CVE-2024-24785 |
unknown |
False Positive |
SCALE 24.10.2 |
|
Link |
go stdlib not used to parse untrusted JSON |
| libssl3 3.0.13-1~deb12u2 |
Issue summary: Some non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions Impact summary: An attacker may exploit certain server configurations to trigger unbounded memory growth that would lead to a Denial of Service This problem can occur in TLSv1.3 if the non-default SSL_OP_NO_TICKET option is being used (but not if early_data support is also configured and the default anti-replay protection is in use). In this case, under certain conditions, the session cache can get into an incorrect state and it will fail to flush properly as it fills. The session cache will continue to grow in an unbounded manner. A malicious client could deliberately create the scenario for this failure to force a Denial of Service. It may also happen by accident in normal operation. This issue only affects TLS servers supporting TLSv1.3. It does not affect TLS clients. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.0.2 is also not affected by this issue. |
CVE-2024-2511 |
unknown |
False Positive |
SCALE 24.10.2 |
|
Link |
Requires non-default TLS server config. |
| iperf3 3.12-1+deb12u1 |
iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario. |
CVE-2024-26306 |
unknown |
False Positive |
SCALE 24.10.2 |
|
Link |
iperf3 server not used. |
| krb5-user 1.20.1-2+deb12u1 |
Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. |
CVE-2024-26462 |
unknown |
False Positive |
SCALE 24.10.2 |
|
Link |
Memory leak. |
| libxencall1 4.17.3+10-g091466ba55-1~deb12u1 |
Because of a logical error in XSA-407 (Branch Type Confusion), the mitigation is not applied properly when it is intended to be used. XSA-434 (Speculative Return Stack Overflow) uses the same infrastructure, so is equally impacted. For more details, see: https://xenbits.xen.org/xsa/advisory-407.html https://xenbits.xen.org/xsa/advisory-434.html |
CVE-2024-31142 |
unknown |
False Positive |
SCALE 24.10.2 |
|
Link |
Do not run untrusted guest VMs. |
| librados2 16.2.11+ds-2 |
|
CVE-2024-48916 |
unknown |
False Positive |
SCALE 24.10.2 |
|
Link |
Qemu dependency |
| grub-common 2.99-9 |
grub2 allowed attackers with access to the grub shell to access files on the encrypted disks. |
CVE-2024-49504 |
unknown |
False Positive |
SCALE 24.10.2 |
|
Link |
Grub shell not accessible |
| git 1:2.39.2-1.1 |
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt (i.e. without using any credential helper), it prints out the host name for which the user is expected to provide a username and/or a password. At this stage, any URL-encoded parts have been decoded already, and are printed verbatim. This allows attackers to craft URLs that contain ANSI escape sequences that the terminal interpret to confuse users e.g. into providing passwords for trusted Git hosting sites when in fact they are then sent to untrusted sites that are under the attacker's control. This issue has been patch via commits `7725b81` and `c903985` which are included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones. |
CVE-2024-50349 |
unknown |
False Positive |
SCALE 24.10.2 |
|
Link |
Git not used in vulnerable fashion |
| git 1:2.39.2-1.1 |
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. Git defines a line-based protocol that is used to exchange information between Git and Git credential helpers. Some ecosystems (most notably, .NET and node.js) interpret single Carriage Return characters as newlines, which renders the protections against CVE-2020-5260 incomplete for credential helpers that treat Carriage Returns in this way. This issue has been addressed in commit `b01b9b8` which is included in release versions v2.48.1, v2.47.2, v2.46.3, v2.45.3, v2.44.3, v2.43.6, v2.42.4, v2.41.3, and v2.40.4. Users are advised to upgrade. Users unable to upgrade should avoid cloning from untrusted URLs, especially recursive clones. |
CVE-2024-52006 |
unknown |
False Positive |
SCALE 24.10.2 |
|
Link |
Git not used in vulnerable fashion |
| rclone 1.67.1 |
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2. |
CVE-2024-52522 |
unknown |
False Positive |
SCALE 24.10.2 |
|
Link |
rclone not used with --links and --metadata options |
| libc-bin 2.36-9+deb12u7 |
When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size. |
CVE-2025-0395 |
unknown |
False Positive |
SCALE 24.10.2 |
|
Link |
Unsafe assert messages not being used. |
| BMC IPMI firmware |
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. |
CVE-2013-4786 |
High |
Low |
M30 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| BMC IPMI firmware |
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. |
CVE-2013-4786 |
High |
Low |
M40 (G1/G2/G3) |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| BMC IPMI firmware |
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. |
CVE-2013-4786 |
High |
Low |
M50 (G1/G2/G3) |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| BMC IPMI firmware |
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. |
CVE-2013-4786 |
High |
Low |
M60 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| BMC IPMI firmware |
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. |
CVE-2013-4786 |
High |
Low |
R10 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| BMC IPMI firmware |
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. |
CVE-2013-4786 |
High |
Low |
R20 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| BMC IPMI firmware |
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. |
CVE-2013-4786 |
High |
Low |
R20A |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| BMC IPMI firmware |
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. |
CVE-2013-4786 |
High |
Low |
R20B |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| BMC IPMI firmware |
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. |
CVE-2013-4786 |
High |
Low |
R40 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| BMC IPMI firmware |
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. |
CVE-2013-4786 |
High |
Low |
R50 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| BMC IPMI firmware |
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. |
CVE-2013-4786 |
High |
Low |
R50B |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| BMC IPMI firmware |
The IPMI 2.0 specification supports RMCP+ Authenticated Key-Exchange Protocol (RAKP) authentication, which allows remote attackers to obtain password hashes and conduct offline password guessing attacks by obtaining the HMAC from a RAKP message 2 response from a BMC. |
CVE-2013-4786 |
High |
Low |
R50BM |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. |
CVE-2023-40289 |
False Positive |
False Positive |
R10 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40284 |
False Positive |
False Positive |
R10 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40287 |
High |
Low |
R10 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40288 |
High |
Low |
R10 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. |
CVE-2023-40290 |
False Positive |
False Positive |
R10 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40285 |
False Positive |
False Positive |
R10 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40286 |
High |
Low |
R10 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. |
CVE-2023-40289 |
False Positive |
False Positive |
R20 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40284 |
False Positive |
False Positive |
R20 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40287 |
High |
Low |
R20 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40288 |
High |
Low |
R20 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. |
CVE-2023-40290 |
False Positive |
False Positive |
R20 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40285 |
False Positive |
False Positive |
R20 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40286 |
High |
Low |
R20 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. |
CVE-2023-40289 |
False Positive |
False Positive |
R20A |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40284 |
False Positive |
False Positive |
R20A |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40287 |
High |
Low |
R20A |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40288 |
High |
Low |
R20A |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. |
CVE-2023-40290 |
False Positive |
False Positive |
R20A |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40285 |
False Positive |
False Positive |
R20A |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40286 |
High |
Low |
R20A |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. |
CVE-2023-40289 |
False Positive |
False Positive |
R40 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40284 |
False Positive |
False Positive |
R40 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40287 |
High |
Low |
R40 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40288 |
High |
Low |
R40 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. |
CVE-2023-40290 |
False Positive |
False Positive |
R40 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40285 |
False Positive |
False Positive |
R40 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40286 |
High |
Low |
R40 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. |
CVE-2023-40289 |
False Positive |
False Positive |
R50 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40284 |
False Positive |
False Positive |
R50 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40287 |
High |
Low |
R50 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40288 |
High |
Low |
R50 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. |
CVE-2023-40290 |
False Positive |
False Positive |
R50 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40285 |
False Positive |
False Positive |
R50 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (1.71.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40286 |
High |
Low |
R50 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. |
CVE-2023-40289 |
False Positive |
False Positive |
R20B |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40284 |
False Positive |
False Positive |
R20B |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40287 |
High |
Low |
R20B |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40288 |
High |
Low |
R20B |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. |
CVE-2023-40290 |
False Positive |
False Positive |
R20B |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40285 |
False Positive |
False Positive |
R20B |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40286 |
High |
Low |
R20B |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. |
CVE-2023-40289 |
False Positive |
False Positive |
R50B |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40284 |
False Positive |
False Positive |
R50B |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40287 |
High |
Low |
R50B |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40288 |
High |
Low |
R50B |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. |
CVE-2023-40290 |
False Positive |
False Positive |
R50B |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40285 |
False Positive |
False Positive |
R50B |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40286 |
High |
Low |
R50B |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. |
CVE-2023-40289 |
False Positive |
False Positive |
R50BM |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40284 |
False Positive |
False Positive |
R50BM |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40287 |
High |
Low |
R50BM |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40288 |
High |
Low |
R50BM |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. |
CVE-2023-40290 |
False Positive |
False Positive |
R50BM |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40285 |
False Positive |
False Positive |
R50BM |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40286 |
High |
Low |
R50BM |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. |
CVE-2023-40289 |
False Positive |
False Positive |
M30 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40284 |
False Positive |
False Positive |
M30 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40287 |
High |
Low |
M30 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40288 |
High |
Low |
M30 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. |
CVE-2023-40290 |
False Positive |
False Positive |
M30 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40285 |
False Positive |
False Positive |
M30 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40286 |
High |
Low |
M30 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. |
CVE-2023-40289 |
False Positive |
False Positive |
M40 (G1/G2/G3) |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40284 |
False Positive |
False Positive |
M40 (G1/G2/G3) |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40287 |
High |
Low |
M40 (G1/G2/G3) |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40288 |
High |
Low |
M40 (G1/G2/G3) |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. |
CVE-2023-40290 |
False Positive |
False Positive |
M40 (G1/G2/G3) |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40285 |
False Positive |
False Positive |
M40 (G1/G2/G3) |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40286 |
High |
Low |
M40 (G1/G2/G3) |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. |
CVE-2023-40289 |
False Positive |
False Positive |
M50 (G1/G2/G3) |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40284 |
False Positive |
False Positive |
M50 (G1/G2/G3) |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40287 |
High |
Low |
M50 (G1/G2/G3) |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40288 |
High |
Low |
M50 (G1/G2/G3) |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. |
CVE-2023-40290 |
False Positive |
False Positive |
M50 (G1/G2/G3) |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40285 |
False Positive |
False Positive |
M50 (G1/G2/G3) |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40286 |
High |
Low |
M50 (G1/G2/G3) |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker needs to be logged into BMC with administrator privileges to exploit the vulnerability. An unvalidated input value could allow the attacker to perform command injection. |
CVE-2023-40289 |
False Positive |
False Positive |
M60 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40284 |
False Positive |
False Positive |
M60 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40287 |
High |
Low |
M60 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. |
CVE-2023-40288 |
High |
Low |
M60 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. This vulnerability can only be exploited using Windows IE11 browser. |
CVE-2023-40290 |
False Positive |
False Positive |
M60 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40285 |
False Positive |
False Positive |
M60 |
N/A |
Link |
N/A to iX custom FW |
| Supermicro BMC IPMI firmware (6.74.11) |
An attacker could send a phishing link that does not require login, tricking BMC administrators to click on that link while they are still logged in and thus authenticated by BMC Web UI. The attacker poisons the administrator’s browser cookies and local storage to create a new user. |
CVE-2023-40286 |
High |
Low |
M60 |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. |
| ASRock IPMI |
Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. |
ZDI-CAN-25636 |
High |
Low |
Mini E |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
| ASRock IPMI |
Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. |
ZDI-CAN-25636 |
High |
Low |
Mini E+ |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
| ASRock IPMI |
Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. |
ZDI-CAN-25636 |
High |
Low |
Mini X |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
| ASRock IPMI |
Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. |
ZDI-CAN-25637 |
High |
Low |
Mini E |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
| ASRock IPMI |
Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. |
ZDI-CAN-25637 |
High |
Low |
Mini E+ |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
| ASRock IPMI |
Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. |
ZDI-CAN-25637 |
High |
Low |
Mini X |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
| ASRock IPMI |
Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. |
ZDI-CAN-25638 |
High |
Low |
Mini E |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
| ASRock IPMI |
Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. |
ZDI-CAN-25638 |
High |
Low |
Mini E+ |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
| ASRock IPMI |
Redis process on the IPMI on ASRock motherboards is reachable via ssh port forwarding. |
ZDI-CAN-25638 |
High |
Low |
Mini X |
Not yet resolved |
Link |
As per iX recommended configuration, IPMI should be on a separate and secure network without Internet access to prevent exposure to this type of exploit - iX Rating is therefore Low. Also, the ssh service for the IPMI system can be disabled from the IPMI web page for your system. |
